Overview

overview

10

Static

static

emotet_doc

windows7_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a1cef81caeed203ca1eeee6434ecd991d79885ca1a6cd1631e878d0bd87a11f4.doc

  • Size

    236KB

  • Sample

    200215-mdk792pfye

  • MD5

    cc15d68e53c6ade54ce2172be86a656b

  • SHA1

    4bec88f860b0ec6ec5b4f7a9760749be27766e2b

  • SHA256

    a1cef81caeed203ca1eeee6434ecd991d79885ca1a6cd1631e878d0bd87a11f4

  • SHA512

    96ede6c3a6f28a23be84713055a3407ffa3c180d6a64da47c6acc6146815d0d0a4e492bd6488a2a6bce37319ad8edaf58d39da0dd9792cc28ce073dfe745c643

Score
10/10
emotetepoch2bankertrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://ta-behesht.ir/images/Provx00a/
exe.dropper

http://tatcogroup.ir/wp-admin/UC/
exe.dropper

http://tcpartner.ru/wp-includes/nr8/
exe.dropper

http://tepcian.utcc.ac.th/wp-admin/SquR/
exe.dropper

http://ourproductreview.in/pokjbg746ihrtr/a1kzwc/

Extracted

Family

emotet

Botnet

Epoch2

C2

71.126.247.90:80

98.239.119.52:80

80.86.91.91:8080

104.236.28.47:8080

47.155.214.239:443

180.92.239.110:8080

87.106.136.232:8080

76.104.80.47:80

173.16.62.227:80

92.222.216.44:8080

47.153.183.211:80

74.130.83.133:80

47.156.70.145:80

110.36.217.66:8080

160.16.215.66:8080

200.116.145.225:443

181.13.24.82:80

24.94.237.248:80

5.32.55.214:80

31.172.240.91:8080
rsa_pubkey.plain

Targets

    • Target

      a1cef81caeed203ca1eeee6434ecd991d79885ca1a6cd1631e878d0bd87a11f4.doc

    • Size

      236KB

    • MD5

      cc15d68e53c6ade54ce2172be86a656b

    • SHA1

      4bec88f860b0ec6ec5b4f7a9760749be27766e2b

    • SHA256

      a1cef81caeed203ca1eeee6434ecd991d79885ca1a6cd1631e878d0bd87a11f4

    • SHA512

      96ede6c3a6f28a23be84713055a3407ffa3c180d6a64da47c6acc6146815d0d0a4e492bd6488a2a6bce37319ad8edaf58d39da0dd9792cc28ce073dfe745c643

    Score
    10/10
    trojanbankeremotet

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Matrix

Tasks