emotet

General

Target

emotet_e2_1f19f1cc91f28959e4f1a099b4f6d11a2dfd3b5d5ecf73f596b764dfdc356b57_2020-07-29__000613._doc
Size

175KB
Sample

200729-ktmjxtd7t2
MD5

fb1cbe7a44e5ec306b7417536dd53823
SHA1

dd2e4fee429893be634cff2f605f725e82d2dc10
SHA256

1f19f1cc91f28959e4f1a099b4f6d11a2dfd3b5d5ecf73f596b764dfdc356b57
SHA512

99c8df8339e9235f4dfda7c828f0d0c0211a4816647bb6338fcbe04ceb99f849006a5c9c61caaf430934c64b74ca4a45950de52dd4f0c2b9fb2fbd1dbaa9e557

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://fishbitedesign.com/delete_me/aq_no3_pixel079b/

exe.dropper

http://floridoweddings.com/wp-admin/1_fb_3rv7z6mr/

exe.dropper

http://floydswoodshop.com/floydswo/nn_g5_0s/

exe.dropper

http://fmcav.com/images/tihvt_5d_3znqq/

exe.dropper

http://goharm.com/wp-content/plugins/classic-editor/7b_k5_bo4lrnbmo6/

Extracted

Family

emotet

Botnet

Epoch2

C2

76.27.179.47:80

212.51.142.238:8080

189.212.199.126:443

61.19.246.238:443

162.154.38.103:80

91.211.88.52:7080

83.110.223.58:443

124.45.106.173:443

116.203.32.252:8080

109.117.53.230:443

5.196.74.210:8080

75.139.38.211:80

168.235.67.138:7080

176.111.60.55:8080

169.239.182.217:8080

74.208.45.104:8080

31.31.77.83:443

222.214.218.37:4143

37.139.21.175:8080

91.205.215.66:443

rsa_pubkey.plain

Targets

- Target
  
  emotet_e2_1f19f1cc91f28959e4f1a099b4f6d11a2dfd3b5d5ecf73f596b764dfdc356b57_2020-07-29__000613._doc
- Size
  
  175KB
- MD5
  
  fb1cbe7a44e5ec306b7417536dd53823
- SHA1
  
  dd2e4fee429893be634cff2f605f725e82d2dc10
- SHA256
  
  1f19f1cc91f28959e4f1a099b4f6d11a2dfd3b5d5ecf73f596b764dfdc356b57
- SHA512
  
  99c8df8339e9235f4dfda7c828f0d0c0211a4816647bb6338fcbe04ceb99f849006a5c9c61caaf430934c64b74ca4a45950de52dd4f0c2b9fb2fbd1dbaa9e557
Score

10^/10

trojan banker emotet
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Emotet Payload
  Detects Emotet payload in memory.
- Blacklisted process makes network request
- Executes dropped EXE
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Process spawned unexpected child process

Emotet Payload

Blacklisted process makes network request

Executes dropped EXE

Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2