emotet

General

Target

emotet_e2_0f3d19d2092e84e52aa8eec6d932f177849ae15bd1febf920b40e980de9aeb97_2020-07-28__200502._doc
Size

170KB
Sample

200728-gfcflrhv1e
MD5

05e380652838eebf3720b81e1d953e0e
SHA1

6268484debb275001b13894bc057f17f4610d39c
SHA256

0f3d19d2092e84e52aa8eec6d932f177849ae15bd1febf920b40e980de9aeb97
SHA512

aa9842259151c4dfeee679561a9928f80c5ea7ba7ef930d9b01d309dd473c5b9ff037529b4eb03e5bdecdf53b6c2e854d6f529f428c16f20ea3ccb03c1807f48

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://bunchproperties.com/lyhvmiq/s_ia_4uaq/

exe.dropper

http://badeggdesign.com/cgi-bin/nxr5_o_d6vmj/

exe.dropper

http://calledtochange.org/calledtochange/0_76zqg_bwnxpr84/

exe.dropper

http://www.cinefamily.org/phpMyAdmin-4.7.9-all-languages/5um_oot_hz8/

exe.dropper

http://bodbderg.net/wp-admin/ogfv5_4_x2l/

Extracted

Family

emotet

Botnet

Epoch2

C2

76.27.179.47:80

212.51.142.238:8080

189.212.199.126:443

61.19.246.238:443

162.154.38.103:80

91.211.88.52:7080

83.110.223.58:443

124.45.106.173:443

116.203.32.252:8080

109.117.53.230:443

5.196.74.210:8080

75.139.38.211:80

168.235.67.138:7080

176.111.60.55:8080

169.239.182.217:8080

74.208.45.104:8080

31.31.77.83:443

222.214.218.37:4143

37.139.21.175:8080

91.205.215.66:443

rsa_pubkey.plain

Targets

- Target
  
  emotet_e2_0f3d19d2092e84e52aa8eec6d932f177849ae15bd1febf920b40e980de9aeb97_2020-07-28__200502._doc
- Size
  
  170KB
- MD5
  
  05e380652838eebf3720b81e1d953e0e
- SHA1
  
  6268484debb275001b13894bc057f17f4610d39c
- SHA256
  
  0f3d19d2092e84e52aa8eec6d932f177849ae15bd1febf920b40e980de9aeb97
- SHA512
  
  aa9842259151c4dfeee679561a9928f80c5ea7ba7ef930d9b01d309dd473c5b9ff037529b4eb03e5bdecdf53b6c2e854d6f529f428c16f20ea3ccb03c1807f48
Score

10^/10

trojan banker emotet
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Emotet Payload
  Detects Emotet payload in memory.
- Blacklisted process makes network request
- Executes dropped EXE
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Process spawned unexpected child process

Emotet Payload

Blacklisted process makes network request

Executes dropped EXE

Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2