Overview

overview

10

Static

static

8

emotet_e2_...oc.doc

windows7_x64

10

emotet_e2_...oc.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    emotet_e2_feea2193fa8429572e0d346487c4e58bffd2c6cfc320d05054411a8df5c3e0d3_2020-07-29__000932._doc

  • Size

    175KB

  • Sample

    200729-l561jgmc2j

  • MD5

    8eab9cbc34bbb785f5ec8b0cd0ba61ba

  • SHA1

    09b7f4c5e7aa3b29b2c67a6dc60ef2eb3534cc2d

  • SHA256

    feea2193fa8429572e0d346487c4e58bffd2c6cfc320d05054411a8df5c3e0d3

  • SHA512

    148ec8ae93cb345ac8bb9dcc9af9eebf618dabbeb523ea3b59af2736bc3742156c7887fd6608d5ddb73e71cb4e4b06d968c3357a5f4a5294409cff6da7c10ec9

Score
10/10
emotetepoch2bankermacrotrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://fishbitedesign.com/delete_me/aq_no3_pixel079b/
exe.dropper

http://floridoweddings.com/wp-admin/1_fb_3rv7z6mr/
exe.dropper

http://floydswoodshop.com/floydswo/nn_g5_0s/
exe.dropper

http://fmcav.com/images/tihvt_5d_3znqq/
exe.dropper

http://goharm.com/wp-content/plugins/classic-editor/7b_k5_bo4lrnbmo6/

Extracted

Family

emotet

Botnet

Epoch2

C2

76.27.179.47:80

212.51.142.238:8080

189.212.199.126:443

61.19.246.238:443

162.154.38.103:80

91.211.88.52:7080

83.110.223.58:443

124.45.106.173:443

116.203.32.252:8080

109.117.53.230:443

5.196.74.210:8080

75.139.38.211:80

168.235.67.138:7080

176.111.60.55:8080

169.239.182.217:8080

74.208.45.104:8080

31.31.77.83:443

222.214.218.37:4143

37.139.21.175:8080

91.205.215.66:443
rsa_pubkey.plain

Targets

    • Target

      emotet_e2_feea2193fa8429572e0d346487c4e58bffd2c6cfc320d05054411a8df5c3e0d3_2020-07-29__000932._doc

    • Size

      175KB

    • MD5

      8eab9cbc34bbb785f5ec8b0cd0ba61ba

    • SHA1

      09b7f4c5e7aa3b29b2c67a6dc60ef2eb3534cc2d

    • SHA256

      feea2193fa8429572e0d346487c4e58bffd2c6cfc320d05054411a8df5c3e0d3

    • SHA512

      148ec8ae93cb345ac8bb9dcc9af9eebf618dabbeb523ea3b59af2736bc3742156c7887fd6608d5ddb73e71cb4e4b06d968c3357a5f4a5294409cff6da7c10ec9

    Score
    10/10
    trojanbankeremotet

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Emotet Payload

      Detects Emotet payload in memory.

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks