Overview

overview

10

Static

static

8

emotet_e2_...oc.doc

windows7_x64

10

emotet_e2_...oc.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    emotet_e2_f81e4de8069e9551180db92af779f1c19f7bfef0dde8f9696ae0b242d3fb8f2d_2020-08-21__171636._doc

  • Size

    178KB

  • Sample

    200821-jey1ra6tbs

  • MD5

    d42e77a9116b6511efd39d230a7205a3

  • SHA1

    8543820a8562c6d5592a3cef444b75ba35062fae

  • SHA256

    f81e4de8069e9551180db92af779f1c19f7bfef0dde8f9696ae0b242d3fb8f2d

  • SHA512

    ea3e14cbde76d904b9f83db4139fd687a9276a1ee1515fb3099b62dfa7a980c8fe15618a0896df2cccbc895c5548e2f20e5efcb1ce96211d421991f3f54c2f5a

Score
10/10
emotetepoch2bankermacrotrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://alameenmission.net/cgi-bin/Ju1r8t/
exe.dropper

https://www.altopropiedades.cl/fonts/AWM/
exe.dropper

http://anisoph.com/cgi-bin/u95B/
exe.dropper

http://identisoft.pt/istore/7U/
exe.dropper

http://b3shop.net/calendar/nnxakTd/
exe.dropper

http://nourishmentjuices.com/wp-content/e/
exe.dropper

https://en.entechco.com.vn/wp-includes/9XMEI7/

Extracted

Family

emotet

Botnet

Epoch2

C2

137.119.36.33:80

116.202.234.183:8080

69.30.203.214:8080

204.197.146.48:80

87.106.136.232:8080

153.163.83.106:80

91.211.88.52:7080

93.147.212.206:80

222.214.218.37:4143

189.212.199.126:443

203.153.216.189:7080

83.169.36.251:8080

188.83.220.2:443

104.236.246.93:8080

173.62.217.22:443

5.196.74.210:8080

68.188.112.97:80

139.130.242.43:80

61.19.246.238:443

24.179.13.119:80
rsa_pubkey.plain

Targets

    • Target

      emotet_e2_f81e4de8069e9551180db92af779f1c19f7bfef0dde8f9696ae0b242d3fb8f2d_2020-08-21__171636._doc

    • Size

      178KB

    • MD5

      d42e77a9116b6511efd39d230a7205a3

    • SHA1

      8543820a8562c6d5592a3cef444b75ba35062fae

    • SHA256

      f81e4de8069e9551180db92af779f1c19f7bfef0dde8f9696ae0b242d3fb8f2d

    • SHA512

      ea3e14cbde76d904b9f83db4139fd687a9276a1ee1515fb3099b62dfa7a980c8fe15618a0896df2cccbc895c5548e2f20e5efcb1ce96211d421991f3f54c2f5a

    Score
    10/10
    trojanbankeremotet

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Emotet Payload

      Detects Emotet payload in memory.

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks