Overview

overview

10

Static

static

8

invoce No ...23.doc

windows7-x64

10

invoce No ...23.doc

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Yfve.com.zip

  • Size

    656KB

  • Sample

    230321-2bby2sde25

  • MD5

    5a0cb46a6fc2700c4ac08709f50133d6

  • SHA1

    37ba4b256956d67f12ba223bb70f2e521b858f73

  • SHA256

    05a375d786ed166c57bd5b4b3d7aab0f8a3c020621e6d1c93feda5bac92b5fe3

  • SHA512

    ec956a6c235919de9e81e4f3169e2bfbc46f9fefd067d59882d992c10fa6d78991aba0fa6f5af6e2a819a7b39b86fb4e51bceb66052a761ab085f26a5c847fde

  • SSDEEP

    3072:Tv1AaDJWDzyh5I/ndHnM8xEOswT0QXqzdymid3yk/oQCxL:7OaDJW6w/ndHDqO7T0CKymECeoV

Score
10/10
emotetepoch4bankermacromacro_on_actionpersistencetrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

213.239.212.5:443

129.232.188.93:443

103.43.75.120:443

197.242.150.244:8080

1.234.2.232:8080

110.232.117.186:8080

95.217.221.146:8080

159.89.202.34:443

159.65.88.10:8080

82.223.21.224:8080

169.57.156.166:8080

45.176.232.124:443

45.235.8.30:8080

173.212.193.249:8080

107.170.39.149:8080

119.59.103.152:8080

167.172.199.165:8080

91.207.28.33:8080

185.4.135.165:8080

104.168.155.143:8080
eck1.plain
ecs1.plain

Targets

    • Target

      invoce No 301730 03.2023.doc

    • Size

      521.2MB

    • MD5

      afc31854a5b81d139781bb8f5da80dba

    • SHA1

      5c4762423ecd2fdd48573332a6703b2b8cdb5244

    • SHA256

      edd1f76cc33e5df06953a3a01f43250f4024ccaa76dca3a30fc9a589f9de99d3

    • SHA512

      84283e9b92dc45fcfa3646799c9f9f45f00086a201730138e72c8dda0aeb451c19602463d35910c5539745d3c500211952445c802f9ad940524b203fc8f02e48

    • SSDEEP

      3072:OeGZrTwWS6ZL1CkdXDhjaPLW8Nl+U/XqP82gng0o1JiM0rK:gZvNL1BdXNONLq5FarK

    Score
    10/10
    emotetepoch4bankerpersistencetrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks