emotet

General

Target

Invoice_n_AAAA0000000_03-23.one
Size

270KB
Sample

230323-15kmlscd9z
MD5

6ec916a6a9162d09b9816ee90002483e
SHA1

3d7e7e59d98ae1f044179bff8da666f45e1fd3fb
SHA256

254406c0395784e3c070fb982dc6671f12009065de29385c9a0d4e32d01a2b89
SHA512

65936bcd64ab23f7d540faad400b4bb2105ba7f2f4b9e6cf9301e61a6e07e5bcd17e32e889d3280c7a83572d60916227d4ddd5661a56784f6f99b2d1362b1468
SSDEEP

3072:Q25h7OdS2cokRMkxS8qDAHJhorHBsNZqHqbuh7jGMkVh7Ufqjx3RFtDGY6Bbh7le:QH2Zf2gXm5ZGa3vRXm5ZGa3v7

Score

10^/10

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

213.239.212.5:443

129.232.188.93:443

103.43.75.120:443

197.242.150.244:8080

1.234.2.232:8080

110.232.117.186:8080

95.217.221.146:8080

159.89.202.34:443

159.65.88.10:8080

82.223.21.224:8080

169.57.156.166:8080

45.176.232.124:443

45.235.8.30:8080

173.212.193.249:8080

107.170.39.149:8080

119.59.103.152:8080

167.172.199.165:8080

91.207.28.33:8080

185.4.135.165:8080

104.168.155.143:8080

eck1.plain

ecs1.plain

Targets

- Target
  
  Invoice_n_AAAA0000000_03-23.one
- Size
  
  270KB
- MD5
  
  6ec916a6a9162d09b9816ee90002483e
- SHA1
  
  3d7e7e59d98ae1f044179bff8da666f45e1fd3fb
- SHA256
  
  254406c0395784e3c070fb982dc6671f12009065de29385c9a0d4e32d01a2b89
- SHA512
  
  65936bcd64ab23f7d540faad400b4bb2105ba7f2f4b9e6cf9301e61a6e07e5bcd17e32e889d3280c7a83572d60916227d4ddd5661a56784f6f99b2d1362b1468
- SSDEEP
  
  3072:Q25h7OdS2cokRMkxS8qDAHJhorHBsNZqHqbuh7jGMkVh7Ufqjx3RFtDGY6Bbh7le:QH2Zf2gXm5ZGa3vRXm5ZGa3v7
Score

10^/10

emotet epoch4 banker trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Process spawned unexpected child process

Blocklisted process makes network request

Checks computer location settings

Loads dropped DLL

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2