emotet

General

Target

emotet_e2_7cd5225c929ffc27c91ce7e9a9c9ae0cd7617d0d64835d513c84fedbae6ae31a_2020-07-28__184540._doc
Size

171KB
Sample

200728-rhy9qsfpye
MD5

b84387a2ed99725784801f90836417db
SHA1

b08ab3b540ad093398962c9d9ca39d1e109bcd5d
SHA256

7cd5225c929ffc27c91ce7e9a9c9ae0cd7617d0d64835d513c84fedbae6ae31a
SHA512

fc8d30abf9d48bc2b189093c349c832f3927e3398da5d29ae5c3668b5d07f1913e20c813df22a6b3f2d9298ded84129814743833c8f21a53954c129e2a5e71f5

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://bunchproperties.com/lyhvmiq/s_ia_4uaq/

exe.dropper

http://badeggdesign.com/cgi-bin/nxr5_o_d6vmj/

exe.dropper

http://calledtochange.org/calledtochange/0_76zqg_bwnxpr84/

exe.dropper

http://www.cinefamily.org/phpMyAdmin-4.7.9-all-languages/5um_oot_hz8/

exe.dropper

http://bodbderg.net/wp-admin/ogfv5_4_x2l/

Extracted

Family

emotet

Botnet

Epoch2

C2

76.27.179.47:80

212.51.142.238:8080

189.212.199.126:443

61.19.246.238:443

162.154.38.103:80

91.211.88.52:7080

83.110.223.58:443

124.45.106.173:443

116.203.32.252:8080

109.117.53.230:443

5.196.74.210:8080

75.139.38.211:80

168.235.67.138:7080

176.111.60.55:8080

169.239.182.217:8080

74.208.45.104:8080

31.31.77.83:443

222.214.218.37:4143

37.139.21.175:8080

91.205.215.66:443

rsa_pubkey.plain

Targets

- Target
  
  emotet_e2_7cd5225c929ffc27c91ce7e9a9c9ae0cd7617d0d64835d513c84fedbae6ae31a_2020-07-28__184540._doc
- Size
  
  171KB
- MD5
  
  b84387a2ed99725784801f90836417db
- SHA1
  
  b08ab3b540ad093398962c9d9ca39d1e109bcd5d
- SHA256
  
  7cd5225c929ffc27c91ce7e9a9c9ae0cd7617d0d64835d513c84fedbae6ae31a
- SHA512
  
  fc8d30abf9d48bc2b189093c349c832f3927e3398da5d29ae5c3668b5d07f1913e20c813df22a6b3f2d9298ded84129814743833c8f21a53954c129e2a5e71f5
Score

10^/10

trojan banker emotet
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Emotet Payload
  Detects Emotet payload in memory.
- Blacklisted process makes network request
- Executes dropped EXE
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Process spawned unexpected child process

Emotet Payload

Blacklisted process makes network request

Executes dropped EXE

Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2