emotet

General

Target

INVOICE EGAA5_7717972.doc
Size

266KB
Sample

200210-8adxmrslvs
MD5

63d1fe91be7475f7d7b16d9c0f4d72e9
SHA1

7ca71caca4479e3ef2127350292d609ccbb7f0d9
SHA256

da55d54edd3021ebaf41530e1ec8dd18fb5541bb09c3cc9d10c88e9da0351409
SHA512

5d30362259d82957e16c55c64eadd1dafe614457d22c4c0d9c3232481c02d6b3c818b3a8503d12e72ea200f991b2e8be0e549b006cd6b8c4eeafc7a29b441d19

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://movin.cloud/backend_01/jkc4i-wnc01wbd0-43/

exe.dropper

https://ribrart.com/wordpress/TXfMotAUY/

exe.dropper

http://www.pureborn.com/modules/QLBlEB/

exe.dropper

http://phuongphamngulao.gov.vn/wp-content/VNWiFup/

exe.dropper

https://wwwzarawazircom.000webhostapp.com/wp-admin/39h9z-rc0w9qe8yg-52816598/

Extracted

Family

emotet

Botnet

Epoch3

C2

24.249.63.138:80

2.45.165.235:80

149.210.171.237:8080

64.207.176.4:8080

183.82.123.60:443

50.63.13.135:8080

178.33.167.120:8080

95.66.182.136:80

184.162.115.11:443

190.17.94.108:443

110.142.161.90:80

122.176.116.57:443

175.181.7.188:80

182.71.222.187:80

78.188.33.71:80

177.144.130.105:443

182.176.116.139:995

41.77.74.214:443

212.112.113.235:80

78.189.60.109:443

rsa_pubkey.plain

Targets

- Target
  
  INVOICE EGAA5_7717972.doc
- Size
  
  266KB
- MD5
  
  63d1fe91be7475f7d7b16d9c0f4d72e9
- SHA1
  
  7ca71caca4479e3ef2127350292d609ccbb7f0d9
- SHA256
  
  da55d54edd3021ebaf41530e1ec8dd18fb5541bb09c3cc9d10c88e9da0351409
- SHA512
  
  5d30362259d82957e16c55c64eadd1dafe614457d22c4c0d9c3232481c02d6b3c818b3a8503d12e72ea200f991b2e8be0e549b006cd6b8c4eeafc7a29b441d19
Score

10^/10

evasion spyware trojan banker emotet
- Emotet
  Emotet is a trojan that is primarily spread through spam emails
  trojan banker emotet
- Process spawned unexpected child process
- Blacklisted process makes network request
- Executes dropped EXE
- Modifies system certificate store
  evasion spyware trojan
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Process spawned unexpected child process

Blacklisted process makes network request

Executes dropped EXE

Modifies system certificate store

Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2