Overview

overview

10

Static

static

8

emotet_e2_...oc.doc

windows7_x64

10

emotet_e2_...oc.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    emotet_e2_7b6977d2fea5ace224c2e46488cf144b41a82f88c0d6d7849472cba5bb54eecd_2020-08-27__200808._doc

  • Size

    218KB

  • Sample

    200827-hv273we1rs

  • MD5

    a7bd894680e439fd8753e29b79cd2de2

  • SHA1

    a4ef376a566225ba782d25ca5ea68f0e63b23826

  • SHA256

    7b6977d2fea5ace224c2e46488cf144b41a82f88c0d6d7849472cba5bb54eecd

  • SHA512

    224ac475a964c3dd60ca662c5324c753fd33208fd0b6c468bf6993f63b6a5e9a4b886c6bcf7952b0f6bcbd0213b3cf3ec8242834c70f4f095fc4862221502bf3

Score
10/10
emotetepoch2bankermacrotrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://somosdrucken.com/upload/GGQL96W/
exe.dropper

http://www.vedigitize.com/wp-includes/l9K6YJ/
exe.dropper

http://www.sosyalben.org/hpKTnb/
exe.dropper

http://www.sutomoresmestaj.net/menu/E/
exe.dropper

http://www.traveltoharamain.com/cgi-bin/b/
exe.dropper

http://www.thinkdesign4u.com/css/Rtc1/
exe.dropper

https://www.mwk-bionik.de/fileadmin/vOJ/

Extracted

Family

emotet

Botnet

Epoch2

C2

172.91.208.86:80

45.55.36.51:443

91.83.93.99:7080

45.55.219.163:443

107.5.122.110:80

103.86.49.11:8080

85.105.205.77:8080

120.150.60.189:80

137.59.187.107:8080

139.59.60.244:8080

203.117.253.142:80

1.221.254.82:80

97.82.79.83:80

37.187.72.193:8080

139.99.158.11:443

152.168.248.128:443

74.208.45.104:8080

83.169.36.251:8080

169.239.182.217:8080

216.208.76.186:80
rsa_pubkey.plain

Targets

    • Target

      emotet_e2_7b6977d2fea5ace224c2e46488cf144b41a82f88c0d6d7849472cba5bb54eecd_2020-08-27__200808._doc

    • Size

      218KB

    • MD5

      a7bd894680e439fd8753e29b79cd2de2

    • SHA1

      a4ef376a566225ba782d25ca5ea68f0e63b23826

    • SHA256

      7b6977d2fea5ace224c2e46488cf144b41a82f88c0d6d7849472cba5bb54eecd

    • SHA512

      224ac475a964c3dd60ca662c5324c753fd33208fd0b6c468bf6993f63b6a5e9a4b886c6bcf7952b0f6bcbd0213b3cf3ec8242834c70f4f095fc4862221502bf3

    Score
    10/10
    trojanbankeremotet

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks