emotet

General

Target

SecuriteInfo.com.VBA.Heur.LEmoDldr.1.Gen.4911.10470
Size

169KB
Sample

200731-fq1nrvn1fs
MD5

70cc4796d7633e1877b72ac8a903cc81
SHA1

16d21e90a1da838f18dc324121475088f1ee914f
SHA256

522b63a0d190f96b3d7e635d7431958b68f94c8f95a44594318d0e382b17bad5
SHA512

a279d5bf1abfc05fd03909aa68853dcd01d91c3bbcb9978318dad710da7fe93a1b177854a9ecace54c5d34421043b4fdd459e9199e63a1c161e955c0260ab678

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://mktf.mx/wp-includes/nf_p0w_z87k/

exe.dropper

http://dragonfang.com/nav/pu_4cz89_3e81ooa90c/

exe.dropper

http://maxiquim.cl/cgi-bin/qa0_i_qzk/

exe.dropper

https://www.planetkram.com/egherdbaseball/z_xu00_9hbk939elw/

exe.dropper

http://meulocal.com.br/suspend-page/0e_wt5bq_ekn/

Extracted

Family

emotet

Botnet

Epoch2

C2

142.105.151.124:443

62.108.54.22:8080

212.51.142.238:8080

71.208.216.10:80

108.48.41.69:80

83.110.223.58:443

210.165.156.91:80

104.131.44.150:8080

104.236.246.93:8080

5.39.91.110:7080

209.141.54.221:8080

209.182.216.177:443

153.126.210.205:7080

91.211.88.52:7080

180.92.239.110:8080

183.101.175.193:80

162.241.92.219:8080

87.106.139.101:8080

114.146.222.200:80

65.111.120.223:80

rsa_pubkey.plain

Targets

- Target
  
  SecuriteInfo.com.VBA.Heur.LEmoDldr.1.Gen.4911.10470
- Size
  
  169KB
- MD5
  
  70cc4796d7633e1877b72ac8a903cc81
- SHA1
  
  16d21e90a1da838f18dc324121475088f1ee914f
- SHA256
  
  522b63a0d190f96b3d7e635d7431958b68f94c8f95a44594318d0e382b17bad5
- SHA512
  
  a279d5bf1abfc05fd03909aa68853dcd01d91c3bbcb9978318dad710da7fe93a1b177854a9ecace54c5d34421043b4fdd459e9199e63a1c161e955c0260ab678
Score

10^/10

trojan banker emotet
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Emotet Payload
  Detects Emotet payload in memory.
- Blacklisted process makes network request
- Executes dropped EXE
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Process spawned unexpected child process

Emotet Payload

Blacklisted process makes network request

Executes dropped EXE

Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2