emotet | bea8c98ae827f7f8985818cf0204c918743230e6ad0d2172ce8e9e5063b427da | Triage

Sharing

General

Target

Xinyang.com.zip
Size

639KB
Sample

230321-3tmzpsdg75
MD5

1e99520cb445d8468859f9544bc9c0bc
SHA1

4e180460a8b53d8d7b759eec21e13933c97997b9
SHA256

bea8c98ae827f7f8985818cf0204c918743230e6ad0d2172ce8e9e5063b427da
SHA512

2f7c003fb44c17d54d07c88788713887704d9f7b00f83727b108adc25e492e8927d2020bf4ff18b89bcd52f97689d0e6af10c02a90850823ad8644989b198928
SSDEEP

3072:jcJ4Y7C2UYBbenRoTwWAvuN9nyEeTHuhluAQ/RrrLZNQxBlGT40F7:4SgC2U4QRfr4nyEsHu7u3rrglb01

Score

10^/10

emotet epoch4 banker macro macro_on_action persistence trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

213.239.212.5:443

129.232.188.93:443

103.43.75.120:443

197.242.150.244:8080

1.234.2.232:8080

110.232.117.186:8080

95.217.221.146:8080

159.89.202.34:443

159.65.88.10:8080

82.223.21.224:8080

169.57.156.166:8080

45.176.232.124:443

45.235.8.30:8080

173.212.193.249:8080

107.170.39.149:8080

119.59.103.152:8080

167.172.199.165:8080

91.207.28.33:8080

185.4.135.165:8080

104.168.155.143:8080

eck1.plain

ecs1.plain

Targets

- Target
  
  invoce n 599860 03_2023.doc
- Size
  
  510.2MB
- MD5
  
  316981e4b5eb4abdb7e76e9d9f751519
- SHA1
  
  6d42588c663945cce520e2ff109db9c335505f4c
- SHA256
  
  a9b4c8dc53050cebebfe8fa5f71f98e3fbb4efcfc617835d23b75619261cc0fc
- SHA512
  
  8386d4678cff6f55dfff599b103f2aff4cc6f34bd5936cf92f47cc432051c5205c01180f26ddf1d7f1b84ea8ea03a1eb9e5f0ff8662217aa5a586a0efe050107
- SSDEEP
  
  3072:brrCtKZF4eqZ627NHRxMvOwvzpl+vk6jZc:5F4eqYwHMvfvzpKk6Nc
Score

10^/10

emotet epoch4 banker persistence trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

macromacro_on_action

behavioral1

behavioral2

emotetepoch4bankerpersistencetrojan