Overview

overview

10

Static

static

3

o.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    o.exe

  • Size

    721KB

  • Sample

    240413-vc2sjahh81

  • MD5

    d018f62bc7327a4478dcfee81ef90915

  • SHA1

    02f2321c9fc95cece7ce7a52fa011a36ca4d3723

  • SHA256

    0e9481c12bfec4c619ab2e8dc7de6d5a9cb0fcf697b5dc74b44480234860ca44

  • SHA512

    f47942084421e7163c9cd4309756ee05d70d61d08065c6761b888199f10d2a06377db5176208fe00a858683400dff05af84d8462e5c7d905ba24b8affbc936ea

  • SSDEEP

    12288:JohaNOwHEIOd0FTSpkP2WUxCj2AqeMQmzFTSpkP2znXrn:JoA6d0FTSpkPruGKFzFTSpkPOnX

Score
10/10
emotettofseeepoch1bankerbootkitevasionmacropersistencetrojanxlm

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Extracted

Family

emotet

Botnet

Epoch1

C2

78.206.229.130:80

70.39.251.94:8080

87.230.25.43:8080

94.23.62.116:8080

137.74.106.111:7080

76.121.199.225:80

177.73.0.98:443

152.169.22.67:80

174.118.202.24:443

168.197.45.36:80

181.123.6.86:80

12.162.84.2:8080

191.182.6.118:80

177.23.7.151:80

2.84.12.98:80

213.197.182.158:8080

170.81.48.2:80

79.118.74.90:80

109.101.137.162:8080

111.67.12.221:8080
rsa_pubkey.plain

Targets

    • Target

      o.exe

    • Size

      721KB

    • MD5

      d018f62bc7327a4478dcfee81ef90915

    • SHA1

      02f2321c9fc95cece7ce7a52fa011a36ca4d3723

    • SHA256

      0e9481c12bfec4c619ab2e8dc7de6d5a9cb0fcf697b5dc74b44480234860ca44

    • SHA512

      f47942084421e7163c9cd4309756ee05d70d61d08065c6761b888199f10d2a06377db5176208fe00a858683400dff05af84d8462e5c7d905ba24b8affbc936ea

    • SSDEEP

      12288:JohaNOwHEIOd0FTSpkP2WUxCj2AqeMQmzFTSpkP2znXrn:JoA6d0FTSpkPruGKFzFTSpkPOnX

    Score
    10/10
    emotettofseeepoch1bankerbootkitevasionmacropersistencetrojanxlm

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Emotet payload

      Detects Emotet payload in memory.

      trojanbanker

    • Creates new service(s)

      persistence

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Suspicious Office macro

      Office document equipped with 4.0 macros.

      macroxlm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks