emotet

General

Target

FILE_X583677.doc
Size

169KB
Sample

200807-vvy3tsbye6
MD5

9bcd7831593b18eb2fc20abb950776e0
SHA1

94fce0e45271cd1dc5ff594f886146c88b5bdf75
SHA256

2e480d827237d7ae78d5b296e18e6a0cd466c5f3e09abf96f8bb53d927c4bab8
SHA512

ce5e923278b315e334274b0b1f9434aaa2851135fb0fb4f147b8e123da1f595e50a70fc47079f8f3c8c5c6a43f9b5b04a5dbf799f29491bb73d716304892dfdc

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://sampling-group.com/J0Eubtq06/

exe.dropper

http://www.weddingsday.co.uk/docs/1oYncTNHDu/

exe.dropper

http://sasystemsuk.com/recruit/sl979/

exe.dropper

http://wellparts.net/cgi-bin/qAj081/

exe.dropper

http://volkanakbalik.com/_inc/2W/

Extracted

Family

emotet

Botnet

Epoch1

C2

82.76.111.249:443

116.125.120.88:443

217.160.182.191:8080

189.1.185.98:8080

189.194.58.119:80

213.181.91.224:80

219.92.13.25:80

190.6.193.152:8080

61.92.159.208:8080

209.236.123.42:8080

12.162.84.2:8080

190.147.137.153:443

104.131.103.37:8080

212.231.60.98:80

202.62.39.111:80

82.240.207.95:443

170.81.48.2:80

177.74.228.34:80

82.196.15.205:8080

114.109.179.60:80

rsa_pubkey.plain

Targets

- Target
  
  FILE_X583677.doc
- Size
  
  169KB
- MD5
  
  9bcd7831593b18eb2fc20abb950776e0
- SHA1
  
  94fce0e45271cd1dc5ff594f886146c88b5bdf75
- SHA256
  
  2e480d827237d7ae78d5b296e18e6a0cd466c5f3e09abf96f8bb53d927c4bab8
- SHA512
  
  ce5e923278b315e334274b0b1f9434aaa2851135fb0fb4f147b8e123da1f595e50a70fc47079f8f3c8c5c6a43f9b5b04a5dbf799f29491bb73d716304892dfdc
Score

10^/10

trojan banker emotet
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Emotet Payload
  Detects Emotet payload in memory.
- Blacklisted process makes network request
- Executes dropped EXE
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Process spawned unexpected child process

Emotet Payload

Blacklisted process makes network request

Executes dropped EXE

Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2