emotet | a7f83407776ef292dd4bc92eaaef0914d2efe4e0d5949663e58896c8c71a3cf0 | Triage

Sharing

General

Target

Invoice # UK-303840525.zip
Size

647KB
Sample

230323-gxelvaea22
MD5

9dbd992eb0c317d066092969d1da607c
SHA1

0cf3a4e3c71d3e16fb85c5736231889b00c298da
SHA256

a7f83407776ef292dd4bc92eaaef0914d2efe4e0d5949663e58896c8c71a3cf0
SHA512

96c7fc9d0c1fbf92b1a0151a78c2ad4dbfd515b49ae37a0a1090cd6264d577671df00a88ad8fda58b519e365b48b0c1c76804fc43a41442be9968d7a4d9d1c88
SSDEEP

3072:dcJ4Y7C2UYBbenRoTwWAvuN9nyEeTHuhluAQ/RrrLZNQxBlGT40Fj:qSgC2U4QRfr4nyEsHu7u3rrglb0N

Score

10^/10

emotet epoch4 banker macro macro_on_action persistence trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

213.239.212.5:443

129.232.188.93:443

103.43.75.120:443

197.242.150.244:8080

1.234.2.232:8080

110.232.117.186:8080

95.217.221.146:8080

159.89.202.34:443

159.65.88.10:8080

82.223.21.224:8080

169.57.156.166:8080

45.176.232.124:443

45.235.8.30:8080

173.212.193.249:8080

107.170.39.149:8080

119.59.103.152:8080

167.172.199.165:8080

91.207.28.33:8080

185.4.135.165:8080

104.168.155.143:8080

eck1.plain

ecs1.plain

Targets

- Target
  
  Invoice # UK-303840525.doc
- Size
  
  518.2MB
- MD5
  
  6ba2b050b62b541abf3bda19abcc29ba
- SHA1
  
  c60776c4b49d8cdf1bf821646570ee53e5704aed
- SHA256
  
  109cbf26b9b5a08892fa9e23cc5685b5ca7c3d21a433771b22b3d385d425dc88
- SHA512
  
  35c9750958858329dace223c0ab7cce33d6ac7cd9e592e926718e5c438193e177b53780d60def0ac180e0c9adb5512d6023e0f93abc809aa5149c9954485272b
- SSDEEP
  
  3072:brrCtKZF4eqZ627NHRxMvOwvzpl+vk6jZc:5F4eqYwHMvfvzpKk6Nc
Score

10^/10

emotet epoch4 banker persistence trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

macromacro_on_action

behavioral1

behavioral2

emotetepoch4bankerpersistencetrojan