Overview

overview

10

Static

static

8

JVDT20_09.doc

windows7_x64

10

JVDT20_09.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JVDT20_09.doc

  • Size

    161KB

  • Sample

    200916-2jdyemqa3e

  • MD5

    c8db50682c9c51a0a5b220aca08a8b5f

  • SHA1

    f0e2afb8a556bb000e169e24e84c3af9942429fe

  • SHA256

    127c406b36e40a2277c416de6a955130dba4cb23be857da9a3987fb98a170d32

  • SHA512

    cece058757e669d26a73ad58d9c4f5c02ae7118cf9c5fc78e3b92a4bc8b268c500867e7b3f131432f07c422fc26976d17ea8d4f98bd4a783cfe19e88e97fa3ee

Score
10/10
emotetepoch2bankermacrotrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://templatejson.com/awrrn/Kw10uo/
exe.dropper

https://hosting.mybestheme.com/aikjj0q/8/
exe.dropper

https://tastes2plate.com/wp-content/uploads/6/
exe.dropper

http://madeirawildlife.com/wp-admin/zuWZW/
exe.dropper

http://senyumdesa.org/wp-admin/aC4/
exe.dropper

https://ibuyoldwebsites.com/modules/QVtEr7/
exe.dropper

http://blog.zunapro.com/wp-admin/js/widgets/EH4agl/

Extracted

Family

emotet

Botnet

Epoch2

C2

74.219.172.26:80

134.209.36.254:8080

104.156.59.7:8080

120.138.30.150:8080

194.187.133.160:443

104.236.246.93:8080

74.208.45.104:8080

78.187.156.31:80

187.161.206.24:80

94.23.216.33:80

172.91.208.86:80

91.211.88.52:7080

50.91.114.38:80

200.123.150.89:443

121.124.124.40:7080

62.75.141.82:80

5.196.74.210:8080

24.137.76.62:80

85.105.205.77:8080

139.130.242.43:80
rsa_pubkey.plain

Targets

    • Target

      JVDT20_09.doc

    • Size

      161KB

    • MD5

      c8db50682c9c51a0a5b220aca08a8b5f

    • SHA1

      f0e2afb8a556bb000e169e24e84c3af9942429fe

    • SHA256

      127c406b36e40a2277c416de6a955130dba4cb23be857da9a3987fb98a170d32

    • SHA512

      cece058757e669d26a73ad58d9c4f5c02ae7118cf9c5fc78e3b92a4bc8b268c500867e7b3f131432f07c422fc26976d17ea8d4f98bd4a783cfe19e88e97fa3ee

    Score
    10/10
    trojanbankeremotet

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Emotet Payload

      Detects Emotet payload in memory.

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks