Overview

overview

10

Static

static

8

emotet_doc

windows7_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    453c518f7cf37df2fee6ebb0d26ad8073f7498ccf7f75ecc31612d95c879b5b9.doc

  • Size

    168KB

  • Sample

    200729-7jn1m5th1e

  • MD5

    7f853a2aee0509b57ef50410c43cd1bf

  • SHA1

    4698c967f7b8b9d13befb15af1b6a4b8ebacf699

  • SHA256

    453c518f7cf37df2fee6ebb0d26ad8073f7498ccf7f75ecc31612d95c879b5b9

  • SHA512

    6264c6e12c8f5d006e531c4791fbe717b653fa22f0531260ecfd7037435ff8e5b550bcfe7e6a155ef03007b5da2db04d14fdf86a6b827dd58f5af9f1febaba07

Score
10/10
emotetepoch3bankermacrotrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://mossfs.com.au/wp-content/fVrTuWOb/
exe.dropper

https://rtisistemas.com.br/jdetsob/Ov3a8106w4g7x17030547/
exe.dropper

http://slbqms.co.ls/cgi-bin/CHrsuXU/
exe.dropper

http://sertcom.net/_vti_bin/LiUoBmTHW/
exe.dropper

http://skpsoft.com/wp-admin/YnsFh/

Extracted

Family

emotet

Botnet

Epoch3

C2

177.37.81.212:443

74.207.230.187:8080

190.164.75.175:80

87.252.100.28:80

105.209.239.55:80

163.172.107.70:8080

37.208.106.146:8080

24.157.25.203:80

212.112.113.235:80

140.207.113.106:443

75.139.38.211:80

192.210.217.94:8080

46.49.124.53:80

75.127.14.170:8080

87.106.231.60:8080

139.59.12.63:8080

181.167.35.84:80

201.214.108.231:80

74.208.173.91:8080

189.146.1.78:443
rsa_pubkey.plain

Targets

    • Target

      453c518f7cf37df2fee6ebb0d26ad8073f7498ccf7f75ecc31612d95c879b5b9.doc

    • Size

      168KB

    • MD5

      7f853a2aee0509b57ef50410c43cd1bf

    • SHA1

      4698c967f7b8b9d13befb15af1b6a4b8ebacf699

    • SHA256

      453c518f7cf37df2fee6ebb0d26ad8073f7498ccf7f75ecc31612d95c879b5b9

    • SHA512

      6264c6e12c8f5d006e531c4791fbe717b653fa22f0531260ecfd7037435ff8e5b550bcfe7e6a155ef03007b5da2db04d14fdf86a6b827dd58f5af9f1febaba07

    Score
    10/10
    trojanbankeremotet

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Emotet Payload

      Detects Emotet payload in memory.

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks