Overview

overview

10

Static

static

8

emotet_e2_...oc.doc

windows7_x64

10

emotet_e2_...oc.doc

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    emotet_e2_9ba684d3bb94c46b9c7476bf8ea2ecba98cc9e6975bb465242081e17e69ff0b1_2020-07-28__204546._doc

  • Size

    170KB

  • Sample

    200728-q7zkqkb8ha

  • MD5

    080c191dc1b85a5410c1edfb2532a8db

  • SHA1

    823f950745b73d548379516ed1be81e770ac0aa1

  • SHA256

    9ba684d3bb94c46b9c7476bf8ea2ecba98cc9e6975bb465242081e17e69ff0b1

  • SHA512

    a81446bc89d805b8d3ec28a08cce355710aecb3d1d39242a5b51f3f74a10656718b134a1e9dff73fe5699c36f17f0853d0ace6c5314bc69e60ee11f0af3feb72

Score
10/10
emotetepoch2bankermacrotrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://bunchproperties.com/lyhvmiq/s_ia_4uaq/
exe.dropper

http://badeggdesign.com/cgi-bin/nxr5_o_d6vmj/
exe.dropper

http://calledtochange.org/calledtochange/0_76zqg_bwnxpr84/
exe.dropper

http://www.cinefamily.org/phpMyAdmin-4.7.9-all-languages/5um_oot_hz8/
exe.dropper

http://bodbderg.net/wp-admin/ogfv5_4_x2l/

Extracted

Family

emotet

Botnet

Epoch2

C2

76.27.179.47:80

212.51.142.238:8080

189.212.199.126:443

61.19.246.238:443

162.154.38.103:80

91.211.88.52:7080

83.110.223.58:443

124.45.106.173:443

116.203.32.252:8080

109.117.53.230:443

5.196.74.210:8080

75.139.38.211:80

168.235.67.138:7080

176.111.60.55:8080

169.239.182.217:8080

74.208.45.104:8080

31.31.77.83:443

222.214.218.37:4143

37.139.21.175:8080

91.205.215.66:443
rsa_pubkey.plain

Targets

    • Target

      emotet_e2_9ba684d3bb94c46b9c7476bf8ea2ecba98cc9e6975bb465242081e17e69ff0b1_2020-07-28__204546._doc

    • Size

      170KB

    • MD5

      080c191dc1b85a5410c1edfb2532a8db

    • SHA1

      823f950745b73d548379516ed1be81e770ac0aa1

    • SHA256

      9ba684d3bb94c46b9c7476bf8ea2ecba98cc9e6975bb465242081e17e69ff0b1

    • SHA512

      a81446bc89d805b8d3ec28a08cce355710aecb3d1d39242a5b51f3f74a10656718b134a1e9dff73fe5699c36f17f0853d0ace6c5314bc69e60ee11f0af3feb72

    Score
    10/10
    trojanbankeremotet

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Emotet Payload

      Detects Emotet payload in memory.

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks