emotet

General

Target

emotet_e2_c5e193758814cfcd065e7e247aa69f5cea018221cde134eb4360d20f66ef4280_2020-07-28__230800._doc
Size

174KB
Sample

200728-9ed6epmmds
MD5

c64cc19321ec79b5900cc356d86f7048
SHA1

3532483dcbc46e16b3a05a5f8a04fa3b655132cf
SHA256

c5e193758814cfcd065e7e247aa69f5cea018221cde134eb4360d20f66ef4280
SHA512

a5aa661d1a672585fd7162c1840fedb8fbed04db4bedaf6d7a0df6f98783acac3986ea3dbb8572cfabab5d5cfb4f59524cfcd2fbc90f6ba57a03dd04e1e361db

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://fishbitedesign.com/delete_me/aq_no3_pixel079b/

exe.dropper

http://floridoweddings.com/wp-admin/1_fb_3rv7z6mr/

exe.dropper

http://floydswoodshop.com/floydswo/nn_g5_0s/

exe.dropper

http://fmcav.com/images/tihvt_5d_3znqq/

exe.dropper

http://goharm.com/wp-content/plugins/classic-editor/7b_k5_bo4lrnbmo6/

Extracted

Family

emotet

Botnet

Epoch2

C2

76.27.179.47:80

212.51.142.238:8080

189.212.199.126:443

61.19.246.238:443

162.154.38.103:80

91.211.88.52:7080

83.110.223.58:443

124.45.106.173:443

116.203.32.252:8080

109.117.53.230:443

5.196.74.210:8080

75.139.38.211:80

168.235.67.138:7080

176.111.60.55:8080

169.239.182.217:8080

74.208.45.104:8080

31.31.77.83:443

222.214.218.37:4143

37.139.21.175:8080

91.205.215.66:443

rsa_pubkey.plain

Targets

- Target
  
  emotet_e2_c5e193758814cfcd065e7e247aa69f5cea018221cde134eb4360d20f66ef4280_2020-07-28__230800._doc
- Size
  
  174KB
- MD5
  
  c64cc19321ec79b5900cc356d86f7048
- SHA1
  
  3532483dcbc46e16b3a05a5f8a04fa3b655132cf
- SHA256
  
  c5e193758814cfcd065e7e247aa69f5cea018221cde134eb4360d20f66ef4280
- SHA512
  
  a5aa661d1a672585fd7162c1840fedb8fbed04db4bedaf6d7a0df6f98783acac3986ea3dbb8572cfabab5d5cfb4f59524cfcd2fbc90f6ba57a03dd04e1e361db
Score

10^/10

trojan banker emotet
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Emotet Payload
  Detects Emotet payload in memory.
- Blacklisted process makes network request
- Executes dropped EXE
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Process spawned unexpected child process

Emotet Payload

Blacklisted process makes network request

Executes dropped EXE

Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2