Overview

overview

10

Static

static

1

info_0.one

windows10-2004-x64

10

info_0.one

macos-10.15-amd64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    230323-klg5dage5z_pw_infected.zip

  • Size

    154KB

  • Sample

    230323-xm1z4abe4s

  • MD5

    f5ebcd2bd568864836e7041b38a33af3

  • SHA1

    f79f5393c4188410cfd1406014b6010045c33910

  • SHA256

    166de69117f9c6cffd72e28bb17cfb4716e59e3cb9ce3f517a4889e4068a31cf

  • SHA512

    b031c8df84a1ea73bc3b45157787184b540b02c0bf1e86b4dadf51eaad9ddfe7e2311b96cb01b39010c9fd3d740960eba17c121d3a6f95434c5940da249caa21

  • SSDEEP

    3072:kwX5D+0Hxsrh4RJViuPoGEuMR3ekDWGUnWPpSaKQDXFiIvBk7EE:lX5hHGrhIDiuA9uM44vUnbQDXFNvBk7n

Score
10/10
emotetepoch4bankermacospersistencetrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

213.239.212.5:443

129.232.188.93:443

103.43.75.120:443

197.242.150.244:8080

1.234.2.232:8080

110.232.117.186:8080

95.217.221.146:8080

159.89.202.34:443

159.65.88.10:8080

82.223.21.224:8080

169.57.156.166:8080

45.176.232.124:443

45.235.8.30:8080

173.212.193.249:8080

107.170.39.149:8080

119.59.103.152:8080

167.172.199.165:8080

91.207.28.33:8080

185.4.135.165:8080

104.168.155.143:8080
eck1.plain
ecs1.plain

Targets

    • Target

      info_0.one

    • Size

      261KB

    • MD5

      9933577fa741233071f0714d7fbffbff

    • SHA1

      ebd87f765c4e82c02a6cdd590b74a322f8457450

    • SHA256

      8fd4f59a30ef77ddf94cfb61d50212c8604316634c26e2bd0849494cba8da1af

    • SHA512

      a840f6806a5dfedfdd2b7504748edb2e5dca171bb4cba2e69850a30bb5d0389abe2259c87cbdf91a6e3d844f02baedb0aaf1ceefc388ebd806f2928fc0064630

    • SSDEEP

      3072:xXzeHrBwsHzUfxJ3mY2IsGllOb3HPWaBtOzUfxJ3mY2IsGllOb3HPWaBtuXj:FeHrBwsYXm5ZGa3vRXm5ZGa3v2

    Score
    10/10
    emotetepoch4bankerpersistencetrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks