Extracted

Extracted

• • Target

    o.exe

  • Size

    721KB

  • MD5

    d018f62bc7327a4478dcfee81ef90915

  • SHA1

    02f2321c9fc95cece7ce7a52fa011a36ca4d3723

  • SHA256

    0e9481c12bfec4c619ab2e8dc7de6d5a9cb0fcf697b5dc74b44480234860ca44

  • SHA512

    f47942084421e7163c9cd4309756ee05d70d61d08065c6761b888199f10d2a06377db5176208fe00a858683400dff05af84d8462e5c7d905ba24b8affbc936ea

  • SSDEEP

    12288:JohaNOwHEIOd0FTSpkP2WUxCj2AqeMQmzFTSpkP2znXrn:JoA6d0FTSpkPruGKFzFTSpkPOnX

  Score

  10^/10

  emotettofseeepoch1bankerbootkitevasionmacropersistencetrojanxlm

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Emotet payload

    Detects Emotet payload in memory.

    trojanbanker

  • Creates new service(s)

    persistence

  • Downloads MZ/PE file

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Suspicious Office macro

    Office document equipped with 4.0 macros.

    macroxlm

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1