Overview

overview

10

Static

static

10

0864575d4f...a0.dll

windows7-x64

3

0864575d4f...a0.dll

windows10-2004-x64

3

933511776c...82.dll

windows7-x64

10

933511776c...82.dll

windows10-2004-x64

10

62bc8624b6...18.exe

windows7-x64

10

62bc8624b6...18.exe

windows10-2004-x64

10

bea9fc6693...3a.exe

windows7-x64

10

bea9fc6693...3a.exe

windows10-2004-x64

10

emotet_exe...44.dll

windows7-x64

10

emotet_exe...44.dll

windows10-2004-x64

10

3ec811757a...e9.exe

windows7-x64

10

3ec811757a...e9.exe

windows10-2004-x64

10

57800373ef...15.dll

windows7-x64

3

57800373ef...15.dll

windows10-2004-x64

3

61a47ebee9...f9.dll

windows7-x64

10

61a47ebee9...f9.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    975ec4a6250960b45606ce9c155560c3283a3df4ffab69ec81f8cabdbc714b0e

  • Size

    7.0MB

  • Sample

    240923-pc3f6swdkq

  • MD5

    5d38df343650fc8ffb48fd7b2d9ab480

  • SHA1

    6dc3380f3952d06e446a10819a17196366221f1c

  • SHA256

    975ec4a6250960b45606ce9c155560c3283a3df4ffab69ec81f8cabdbc714b0e

  • SHA512

    202f2e6920d09c946408ac19922797a8cebda81417d82b5085a2d5be17b857d215d8ab29bbee4619c18657242f75059796cc4f59c07f07fd145ea722867a8acf

  • SSDEEP

    196608:MSm1UwXO5KKD++70lt0qpFalPd1ULrE+B8hBEAYJJn6UOmp:y1U5KKD+jjRpFMArE+ByErJJn6UO6

Score
10/10
agentteslaemotetepoch2epoch4epoch5bankercollectioncredential_accessdiscoverykeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials
C2

https://api.telegram.org/bot5009732133:AAFwMXIJpYDoCsKxNrSeGLfpeTo8-WB2wh8/sendDocument

Extracted

Family

emotet

C2

5.189.160.61:443

94.177.178.26:8080

202.29.239.162:443

54.38.143.246:7080

119.59.125.140:8080

185.148.168.15:8080

188.166.229.148:443

2.58.16.87:8080

104.131.62.48:8080

103.82.248.59:7080

37.59.209.141:8080

103.133.214.242:8080

195.77.239.39:8080

128.199.192.135:8080

78.47.204.80:443

59.148.253.194:443

87.106.97.83:7080

45.71.195.104:8080

85.214.67.203:8080

139.196.72.155:8080

Extracted

Family

emotet

Botnet

Epoch2

C2

69.38.130.14:80

195.159.28.230:8080

162.241.204.233:8080

181.165.68.127:80

49.205.182.134:80

190.251.200.206:80

139.59.60.244:8080

119.59.116.21:8080

89.216.122.92:80

185.94.252.104:443

70.92.118.112:80

78.24.219.147:8080

173.70.61.180:80

87.106.139.101:8080

66.57.108.14:443

24.179.13.119:80

121.124.124.40:7080

61.19.246.238:443

200.116.145.225:443

93.146.48.84:80
rsa_pubkey.plain

Extracted

Family

emotet

Botnet

Epoch5

C2

5.189.160.61:443

94.177.178.26:8080

202.29.239.162:443

54.38.143.246:7080

119.59.125.140:8080

185.148.168.15:8080

188.166.229.148:443

2.58.16.87:8080

104.131.62.48:8080

103.82.248.59:7080

37.59.209.141:8080

103.133.214.242:8080

195.77.239.39:8080

128.199.192.135:8080

78.47.204.80:443

59.148.253.194:443

87.106.97.83:7080

45.71.195.104:8080

85.214.67.203:8080

139.196.72.155:8080
eck1.plain
ecs1.plain

Extracted

Family

emotet

Botnet

Epoch4

C2

131.100.24.231:80

209.59.138.75:7080

103.8.26.103:8080

51.38.71.0:443

212.237.17.99:8080

79.172.212.216:8080

207.38.84.195:8080

104.168.155.129:8080

178.79.147.66:8080

46.55.222.11:443

103.8.26.102:8080

192.254.71.210:443

45.176.232.124:443

203.114.109.124:443

51.68.175.8:8080

58.227.42.236:80

45.142.114.231:8080

217.182.143.207:443

178.63.25.185:443

45.118.115.99:8080
eck1.plain
ecs1.plain

Targets

    • Target

      0864575d4f487e52a1479c61c2c4ad16742d92e16d0c10f5ed2b40506bbc6ca0.dll

    • Size

      225KB

    • MD5

      72ba727d7441954ecaefd9732d12a36c

    • SHA1

      ab291a932bcc1c74231a7a7fda74017956927f37

    • SHA256

      0864575d4f487e52a1479c61c2c4ad16742d92e16d0c10f5ed2b40506bbc6ca0

    • SHA512

      8080baf789cfcf2edd481e581c4cd174340b36a159707c21506693085f70b60c82207af9e778468106734ebeba83f647b49805712eefbb50056ad6860aa36ac8

    • SSDEEP

      3072:gjm1AMcU4GexYvBitvoAjwD0ggLSnWz/E75oNzbmC9LLxvNDrHj2YuG2TaB:R18UNe66vo1D0cEe5QiC9XxvNDLTu

    Score
    3/10
    discovery
    behavioral1behavioral2

    • Target

      933511776c5c34172b315807d11ecdd0c802f94492cace5c7127d1ddf47b2c82

    • Size

      735KB

    • MD5

      14e8fc68273e3cc5377ea8efd0230273

    • SHA1

      49069bf64828b11730c36f112fde9131c3c86a63

    • SHA256

      933511776c5c34172b315807d11ecdd0c802f94492cace5c7127d1ddf47b2c82

    • SHA512

      6cbf4d197b8fabfccbfb516acd4c11cb23934c3606e8ade1cfcf3845e2748405fb3b2d2012ad052607e4e959aea2bc75365ee9d8ca2bba7d1f4e1074ca35568a

    • SSDEEP

      12288:agvTeqrCeX329Soy/O+TCJJU2QyDqXkkpodzR6TqKCKDeS:tviEdX3Y7GTCRhukkpbqUx

    Score
    10/10
    emotetepoch4bankerdiscoverytrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet
    behavioral3behavioral4

    • Target

      62bc8624b6ed645ddbe1420ca67376863c88e58e347fc8282001a2b9e3330918

    • Size

      574KB

    • MD5

      00fe3f2a77b6bb57385d403411d45e39

    • SHA1

      ad101cb7eab390ed45ec84294da65059aa2fde70

    • SHA256

      62bc8624b6ed645ddbe1420ca67376863c88e58e347fc8282001a2b9e3330918

    • SHA512

      b7fedd8e92b2569130df1faa8cfd5736d457c98991d0a14ce059e05b37bea79e36cd970d06510b4397c08333737d166c8e7121c037713e35fd5fabe53290aa13

    • SSDEEP

      12288:YmEUG3Ap0FzZL2gSOfVxTaSaSehhjtrS2KlP:Yrp3E0FzZDSm3W+IU

    Score
    10/10
    agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Drops file in Drivers directory

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      bea9fc669319cd16df759974397e79c05e7565e75ca7c052af346e08b5f1d13a.exe

    • Size

      216KB

    • MD5

      f491169c61e8aa6cfa83e00c3f7e85e2

    • SHA1

      91b843f4747ae0a97f83b6cba7f329f6a1503928

    • SHA256

      bea9fc669319cd16df759974397e79c05e7565e75ca7c052af346e08b5f1d13a

    • SHA512

      e0c2a061404f9d0333c62366e6974445eb6349f6a900b5c7fe40fa9c6f74c94637f2ca0bc9fc03dfed7b654312dfc89b5f92602caf9699f0b22ed28ae9f0ea8d

    • SSDEEP

      3072:7GWebH9OGNKb/ApyjbFSHZUsSeiMeK++koKcqIQKUsWlB32wufpxSkVPs6v9cwxe:7ejpyjA5UbMX+n7O/Wld23dzopTk

    Score
    10/10
    agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection
    behavioral7behavioral8

    • Target

      emotet_exe_e5_53d5a86b1cb032154775e725ed728ba4bd819d40f3a541744661fcbd4d702319_2022-04-19__000144._exe

    • Size

      1004KB

    • MD5

      4af826422ed9b2cc498c34a52eee464e

    • SHA1

      b91c6461240eb02acfbf747af5836823996c3aae

    • SHA256

      a895a16793403c5df0710672bfaa69b0f096742b6b826bbe80040f23846dc202

    • SHA512

      b0333004374595d8b720c96e2490dae6e89a45d30b64cf3afa17b04fed2705a914222e6905fd3ad16115a4a03f4c4603e3e4a3ba2d4a6e4da112cfc6843af19d

    • SSDEEP

      12288:6caLILOJcC7Mx3NFvVP9orVD2dotpdLRKN5tFjNRLU:6caLIqJcxF9WrVD2kpdobLU

    Score
    10/10
    emotetepoch5bankerdiscoverytrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral10behavioral9

    • Target

      3ec811757abece5eeb8d73fce8770390b5714b16e075c2558de050205cd8c8e9.exe

    • Size

      500KB

    • MD5

      34f89cd2763bdd24f013b61db2464f2b

    • SHA1

      5ed1562833b1b71e9a260a338fcdcee38adaf67e

    • SHA256

      3ec811757abece5eeb8d73fce8770390b5714b16e075c2558de050205cd8c8e9

    • SHA512

      72afdb1d68e759965627a979791c6705f0db6ac0ca8e901b04e9b8b6b3f1a4a47fe2454c177d53880823b597cbd2955f381912ac9c7d4259d973c0cf2f090151

    • SSDEEP

      12288:c1P4SvDv8qRp8prpcHgcbR1nO/O3tw+i2hh:c1b/HXbRexg

    Score
    10/10
    agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      57800373ef6281de3f09ea995703c2307c548717622244573a76e843a9c7b115

    • Size

      133KB

    • MD5

      f946be853b2174b95b27788effbabefc

    • SHA1

      bb7b83482afb93ce683186d42f665f0c3e27de35

    • SHA256

      57800373ef6281de3f09ea995703c2307c548717622244573a76e843a9c7b115

    • SHA512

      6bb01a0ee788ae4573350b5db80cee321254427544cdd89fd2f6fea66e402e8ab12bbb6e5e6f5400c44a48790885f2eed0875bff2db6efedc9f767481b6774f5

    • SSDEEP

      3072:vvQzFb+gUTFYRK9idY3U6n/ki/iD0OZ/+psw/1:vvQJbzawK9iK3//kiqD0oGpsw/1

    Score
    3/10
    discovery
    behavioral13behavioral14

    • Target

      61a47ebee921db8a16a8f070edcb86b5efd47a8d185bf4691b57e76f697981f9.bin

    • Size

      124KB

    • MD5

      6c69bc006e9006849d4041f93806fb96

    • SHA1

      57c70a4a5dea8e77cd4c412f8a6c997872a1a379

    • SHA256

      61a47ebee921db8a16a8f070edcb86b5efd47a8d185bf4691b57e76f697981f9

    • SHA512

      b8c5e2ba08b676b34de2d3e9d1fa09fcabfc7189c3261cde4f035389a297b78f40fcc64a002d09af606e349281e9be340b53ba93f321dee92a341f30d6396bad

    • SSDEEP

      3072:/u5tHNpD8QLG/qDhOabqFFgVEOJe2rYUWPkQFisz:/u5ttpQQLGQWFSeYHmF

    Score
    10/10
    emotetepoch2bankerdiscoverytrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral15behavioral16

MITRE ATT&CK Enterprise v15

Tasks

static1

epoch2agentteslaemotet
Score
10/10

behavioral1

discovery
Score
3/10

behavioral2

discovery
Score
3/10

behavioral3

emotetepoch4bankerdiscoverytrojan
Score
10/10

behavioral4

emotetepoch4bankerdiscoverytrojan
Score
10/10

behavioral5

agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral6

agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral7

agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral8

agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral9

emotetepoch5bankerdiscoverytrojan
Score
10/10

behavioral10

emotetepoch5bankerdiscoverytrojan
Score
10/10

behavioral11

agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral12

agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral13

discovery
Score
3/10

behavioral14

discovery
Score
3/10

behavioral15

emotetepoch2bankerdiscoverytrojan
Score
10/10

behavioral16

emotetepoch2bankerdiscoverytrojan
Score
10/10