emotet

General

Target

INVOICE00000096752 for Hanwha.one
Size

256KB
Sample

230323-csx56seh7x
MD5

2344e967810c8b202d6bd998a9911083
SHA1

1bfd3ac34cf8723ebadedd95edadd2d13cbb4b29
SHA256

82bf467d5e1f222873695ad23ef1acc82326894eb166f5dd26842e3e12d867cc
SHA512

2925e66e14212b15df02da1104c309dabcdb53b77746081b14cc0defa2f6d5b35f9a6b6f5da15a752353fcb054c1a54f43fa92a2cfb0d16bf0f46d24a1d68b3d
SSDEEP

3072:/mUzUfxJ3mY2IsGllOb3HPWaBt5eHrBwsAzUfxJ3mY2IsGllOb3HPWaBtR:SXm5ZGa3v5eHrBwszXm5ZGa3vR

Score

10^/10

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

213.239.212.5:443

129.232.188.93:443

103.43.75.120:443

197.242.150.244:8080

1.234.2.232:8080

110.232.117.186:8080

95.217.221.146:8080

159.89.202.34:443

159.65.88.10:8080

82.223.21.224:8080

169.57.156.166:8080

45.176.232.124:443

45.235.8.30:8080

173.212.193.249:8080

107.170.39.149:8080

119.59.103.152:8080

167.172.199.165:8080

91.207.28.33:8080

185.4.135.165:8080

104.168.155.143:8080

eck1.plain

ecs1.plain

Targets

- Target
  
  INVOICE00000096752 for Hanwha.one
- Size
  
  256KB
- MD5
  
  2344e967810c8b202d6bd998a9911083
- SHA1
  
  1bfd3ac34cf8723ebadedd95edadd2d13cbb4b29
- SHA256
  
  82bf467d5e1f222873695ad23ef1acc82326894eb166f5dd26842e3e12d867cc
- SHA512
  
  2925e66e14212b15df02da1104c309dabcdb53b77746081b14cc0defa2f6d5b35f9a6b6f5da15a752353fcb054c1a54f43fa92a2cfb0d16bf0f46d24a1d68b3d
- SSDEEP
  
  3072:/mUzUfxJ3mY2IsGllOb3HPWaBt5eHrBwsAzUfxJ3mY2IsGllOb3HPWaBtR:SXm5ZGa3v5eHrBwszXm5ZGa3vR
Score

10^/10

emotet epoch4 banker trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Process spawned unexpected child process

Blocklisted process makes network request

Checks computer location settings

Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2