Overview

overview

10

Static

static

8

emotet_e2_...oc.doc

windows7_x64

10

emotet_e2_...oc.doc

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    emotet_e2_df211b245ba73bf4e45c175f2fc03be3b57f275243e3426b3d2c5805ee3b41ca_2020-07-28__212328._doc

  • Size

    169KB

  • Sample

    200728-5pp6bshz12

  • MD5

    eb64751bbb4ad69ca9322134ed3aa72c

  • SHA1

    971496c5199537ee13ead25240ab8e0eebe6e9a5

  • SHA256

    df211b245ba73bf4e45c175f2fc03be3b57f275243e3426b3d2c5805ee3b41ca

  • SHA512

    44a8f727a5f71339d35057873990755361159b92516e91b4c7279dd6e7fbe2fec1c42f39bc547a95ccdb415eb5ce34326ff4e58028c853e9059cb96009f9f63f

Score
10/10
emotetepoch2bankermacrotrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://bunchproperties.com/lyhvmiq/s_ia_4uaq/
exe.dropper

http://badeggdesign.com/cgi-bin/nxr5_o_d6vmj/
exe.dropper

http://calledtochange.org/calledtochange/0_76zqg_bwnxpr84/
exe.dropper

http://www.cinefamily.org/phpMyAdmin-4.7.9-all-languages/5um_oot_hz8/
exe.dropper

http://bodbderg.net/wp-admin/ogfv5_4_x2l/

Extracted

Family

emotet

Botnet

Epoch2

C2

76.27.179.47:80

212.51.142.238:8080

189.212.199.126:443

61.19.246.238:443

162.154.38.103:80

91.211.88.52:7080

83.110.223.58:443

124.45.106.173:443

116.203.32.252:8080

109.117.53.230:443

5.196.74.210:8080

75.139.38.211:80

168.235.67.138:7080

176.111.60.55:8080

169.239.182.217:8080

74.208.45.104:8080

31.31.77.83:443

222.214.218.37:4143

37.139.21.175:8080

91.205.215.66:443
rsa_pubkey.plain

Targets

    • Target

      emotet_e2_df211b245ba73bf4e45c175f2fc03be3b57f275243e3426b3d2c5805ee3b41ca_2020-07-28__212328._doc

    • Size

      169KB

    • MD5

      eb64751bbb4ad69ca9322134ed3aa72c

    • SHA1

      971496c5199537ee13ead25240ab8e0eebe6e9a5

    • SHA256

      df211b245ba73bf4e45c175f2fc03be3b57f275243e3426b3d2c5805ee3b41ca

    • SHA512

      44a8f727a5f71339d35057873990755361159b92516e91b4c7279dd6e7fbe2fec1c42f39bc547a95ccdb415eb5ce34326ff4e58028c853e9059cb96009f9f63f

    Score
    10/10
    trojanbankeremotet

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Emotet Payload

      Detects Emotet payload in memory.

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks