General

  • Target

    Docs_bb7b9f0ff1297e6480935818da798d0f.html

  • Size

    190KB

  • Sample

    191207-v2zqeb75xe

  • MD5

    bb7b9f0ff1297e6480935818da798d0f

  • SHA1

    c2b2a88367e8278a930629221af207bbeac5e192

  • SHA256

    282ddf44fbb13c3ea82c1fb85e62a1db366cc254fafb1d073079b97f928d34cd

  • SHA512

    15495aa235d8676bd6fa4afffb6f0b0ce4ec4b01bd485383f3c5169679f9f8365c006fa98e129700e1265b872c3c1299c22177dce5017baa306565b5ed171a48

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://jdcc-stu.com/wp-includes/168386/

exe.dropper

http://stevecablestreeservice.com/y8st/w4q76/

exe.dropper

http://kaybork.com/howtos/620010/

exe.dropper

http://dayzendapparel.com/cgi-bin/091244/

exe.dropper

http://thematrix-one.info/cgi-bin/4900/

Extracted

Family

emotet

Botnet

Epoch1

C2

47.146.42.234:80

130.45.45.31:80

200.119.11.118:443

96.126.121.64:443

104.236.137.72:8080

172.104.233.225:8080

85.234.143.94:8080

91.205.215.57:7080

62.75.160.178:8080

45.79.95.107:443

190.195.129.227:8090

159.203.204.126:8080

181.36.42.205:443

186.68.48.204:443

14.160.93.230:80

119.59.124.163:8080

87.118.70.69:8080

5.196.35.138:7080

82.8.232.51:80

203.130.0.69:80

rsa_pubkey.plain

Targets

    • Target

      Docs_bb7b9f0ff1297e6480935818da798d0f.html

    • Size

      190KB

    • MD5

      bb7b9f0ff1297e6480935818da798d0f

    • SHA1

      c2b2a88367e8278a930629221af207bbeac5e192

    • SHA256

      282ddf44fbb13c3ea82c1fb85e62a1db366cc254fafb1d073079b97f928d34cd

    • SHA512

      15495aa235d8676bd6fa4afffb6f0b0ce4ec4b01bd485383f3c5169679f9f8365c006fa98e129700e1265b872c3c1299c22177dce5017baa306565b5ed171a48

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails

    • Executes dropped EXE

    • Windows security modification

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Disabling Security Tools

1
T1089

Modify Registry

1
T1112

Discovery

Query Registry

4
T1012

System Information Discovery

3
T1082

Tasks