Overview

overview

10

Static

static

1

INVOICE No...23.one

windows7-x64

10

INVOICE No...23.one

windows10-2004-x64

10

Resubmissions

23-03-2023 12:55

230323-p53bwafg49 10

22-03-2023 20:00

230322-yq59naba39 4

Sharing

Copy URL
Twitter E-mail

General

  • Target

    INVOICE No L56 22 March 2023.one

  • Size

    261KB

  • Sample

    230323-p53bwafg49

  • MD5

    01cbd13497b0e8c64a9637a95b192226

  • SHA1

    c0c56e8bb2c7289d90f318641840f8a07f250387

  • SHA256

    0e98ef27ae09b6e3a7cf7f2ecb6b08ffa3b1a174eca5ee5ceb8ab8589c858a8f

  • SHA512

    d2c80657362c5e3753e67ebb587ddd4c8a02f95137badb3b501e8b70b32fdb7b4917fa724f3907d486128408bd1f8c92e15cac0c7cbd67bc967a7635e127078e

  • SSDEEP

    3072:xXzeHrBwsHzUfxJ3mY2IsGllOb3HPWaBtOzUfxJ3mY2IsGllOb3HPWaBtuXK:FeHrBwsYXm5ZGa3vRXm5ZGa3vX

Score
10/10
emotetepoch4bankerpersistencetrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

213.239.212.5:443

129.232.188.93:443

103.43.75.120:443

197.242.150.244:8080

1.234.2.232:8080

110.232.117.186:8080

95.217.221.146:8080

159.89.202.34:443

159.65.88.10:8080

82.223.21.224:8080

169.57.156.166:8080

45.176.232.124:443

45.235.8.30:8080

173.212.193.249:8080

107.170.39.149:8080

119.59.103.152:8080

167.172.199.165:8080

91.207.28.33:8080

185.4.135.165:8080

104.168.155.143:8080
eck1.plain
ecs1.plain

Targets

    • Target

      INVOICE No L56 22 March 2023.one

    • Size

      261KB

    • MD5

      01cbd13497b0e8c64a9637a95b192226

    • SHA1

      c0c56e8bb2c7289d90f318641840f8a07f250387

    • SHA256

      0e98ef27ae09b6e3a7cf7f2ecb6b08ffa3b1a174eca5ee5ceb8ab8589c858a8f

    • SHA512

      d2c80657362c5e3753e67ebb587ddd4c8a02f95137badb3b501e8b70b32fdb7b4917fa724f3907d486128408bd1f8c92e15cac0c7cbd67bc967a7635e127078e

    • SSDEEP

      3072:xXzeHrBwsHzUfxJ3mY2IsGllOb3HPWaBtOzUfxJ3mY2IsGllOb3HPWaBtuXK:FeHrBwsYXm5ZGa3vRXm5ZGa3vX

    Score
    10/10
    emotetepoch4bankertrojanpersistence

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks