Resubmissions

20-07-2023 12:00

230720-n6c8psgh7z 6

20-04-2023 11:47

230420-nyb1nsbf5y 1

22-03-2023 11:13

230322-nbvjhaad5s 10

22-03-2023 11:03

230322-m552nagd53 4

22-03-2023 10:57

230322-m18xraac81 10

22-03-2023 10:56

230322-m132haac8z 1

22-03-2023 10:41

230322-mre83sac4v 10

21-03-2023 21:11

230321-z11ycsfb4x 10

General

  • Target

    e173ecebfd5b01766dd8184250d5f2d442507b9b097e4ced319c246b78550d85

  • Size

    280KB

  • Sample

    230322-mre83sac4v

  • MD5

    b1a10568aa1e4a47ad2aa35788edc0af

  • SHA1

    dd6ba6ae1680e4245f5ecc22ee12a18b9e16db2d

  • SHA256

    e173ecebfd5b01766dd8184250d5f2d442507b9b097e4ced319c246b78550d85

  • SHA512

    9dfd246820c9d705bd54f3118d581063ceadfdae04d0cd047dc66e19d6a5c29fee0195e7a5671854d5c9886a37a83f85d7e5aacd5d8c8df1cfa13384e3fa717e

  • SSDEEP

    3072:e57pvc2vetOepE76wtghUVkJlD1HUjCuitewu4UhKg+jbJDDO7UckjjwQV:u1veXwtVElijRLwuzKg+jb1UkUa

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

213.239.212.5:443

129.232.188.93:443

103.43.75.120:443

197.242.150.244:8080

1.234.2.232:8080

110.232.117.186:8080

95.217.221.146:8080

159.89.202.34:443

159.65.88.10:8080

82.223.21.224:8080

169.57.156.166:8080

45.176.232.124:443

45.235.8.30:8080

173.212.193.249:8080

107.170.39.149:8080

119.59.103.152:8080

167.172.199.165:8080

91.207.28.33:8080

185.4.135.165:8080

104.168.155.143:8080

eck1.plain
ecs1.plain

Targets

    • Target

      e173ecebfd5b01766dd8184250d5f2d442507b9b097e4ced319c246b78550d85

    • Size

      280KB

    • MD5

      b1a10568aa1e4a47ad2aa35788edc0af

    • SHA1

      dd6ba6ae1680e4245f5ecc22ee12a18b9e16db2d

    • SHA256

      e173ecebfd5b01766dd8184250d5f2d442507b9b097e4ced319c246b78550d85

    • SHA512

      9dfd246820c9d705bd54f3118d581063ceadfdae04d0cd047dc66e19d6a5c29fee0195e7a5671854d5c9886a37a83f85d7e5aacd5d8c8df1cfa13384e3fa717e

    • SSDEEP

      3072:e57pvc2vetOepE76wtghUVkJlD1HUjCuitewu4UhKg+jbJDDO7UckjjwQV:u1veXwtVElijRLwuzKg+jb1UkUa

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks