General
-
Target
emotet_e2_24c7551200e919fc0bdce151aef784c0c324c81a337a8bf70e67cfebf1abae0d_2020-09-17__131708._doc
-
Size
172KB
-
Sample
200917-92pdp4ds1s
-
MD5
af5701e6c5f9bd86f09a46875323fbfc
-
SHA1
02429e66570b6b347c3357c559d27e5211f11eb1
-
SHA256
24c7551200e919fc0bdce151aef784c0c324c81a337a8bf70e67cfebf1abae0d
-
SHA512
b73d3296ce25058d7b6f2560cb66af5bd066c11ed46570d82106aaf1c08ccdfbce8adfd322008ddfacb968254372f277d2aa1ea7459399dda687c0a85a030c64
Static task
static1
Behavioral task
behavioral1
Sample
emotet_e2_24c7551200e919fc0bdce151aef784c0c324c81a337a8bf70e67cfebf1abae0d_2020-09-17__131708._doc.doc
Resource
win7v200722
Malware Config
Extracted
http://rhyton-building.com/wp-admin/Ey8qV0/
http://ezzll.com/wp-includes/KIU2WU/
http://tellmetech.com/wp-content/4ka/
https://elmundodelareposteria.com/wp-admin/0PVVmJm/
https://manuelrozas.cl/assets/XWN/
https://haritdharni.com/wp-admin/bZM/
https://theworks-group.com/site/pQT6j5/
Extracted
emotet
Epoch2
74.219.172.26:80
134.209.36.254:8080
104.156.59.7:8080
120.138.30.150:8080
194.187.133.160:443
104.236.246.93:8080
74.208.45.104:8080
78.187.156.31:80
187.161.206.24:80
94.23.216.33:80
172.91.208.86:80
91.211.88.52:7080
50.91.114.38:80
200.123.150.89:443
121.124.124.40:7080
62.75.141.82:80
5.196.74.210:8080
24.137.76.62:80
85.105.205.77:8080
139.130.242.43:80
82.225.49.121:80
110.145.77.103:80
195.251.213.56:80
46.105.131.79:8080
87.106.136.232:8080
75.139.38.211:80
124.41.215.226:80
203.153.216.189:7080
162.241.242.173:8080
219.74.18.66:443
174.45.13.118:80
68.188.112.97:80
200.114.213.233:8080
213.196.135.145:80
61.92.17.12:80
61.19.246.238:443
219.75.128.166:80
120.150.60.189:80
123.176.25.234:80
1.221.254.82:80
137.119.36.33:80
94.23.237.171:443
74.120.55.163:80
62.30.7.67:443
104.131.11.150:443
139.59.67.118:443
209.141.54.221:8080
79.137.83.50:443
84.39.182.7:80
97.82.79.83:80
87.106.139.101:8080
94.1.108.190:443
37.187.72.193:8080
139.162.108.71:8080
93.147.212.206:80
74.134.41.124:80
103.86.49.11:8080
75.80.124.4:80
109.74.5.95:8080
153.232.188.106:80
168.235.67.138:7080
50.35.17.13:80
42.200.107.142:80
82.80.155.43:80
78.24.219.147:8080
24.43.99.75:80
107.5.122.110:80
156.155.166.221:80
83.169.36.251:8080
47.144.21.12:443
79.98.24.39:8080
181.169.34.190:80
139.59.60.244:8080
85.152.162.105:80
185.94.252.104:443
110.5.16.198:80
174.102.48.180:443
140.186.212.146:80
95.179.229.244:8080
104.32.141.43:80
169.239.182.217:8080
121.7.127.163:80
94.200.114.161:80
201.173.217.124:443
104.131.44.150:8080
137.59.187.107:8080
5.39.91.110:7080
203.117.253.142:80
157.245.99.39:8080
176.111.60.55:8080
95.213.236.64:8080
220.245.198.194:80
37.139.21.175:8080
89.216.122.92:80
139.99.158.11:443
24.179.13.119:80
188.219.31.12:80
Targets
-
-
Target
emotet_e2_24c7551200e919fc0bdce151aef784c0c324c81a337a8bf70e67cfebf1abae0d_2020-09-17__131708._doc
-
Size
172KB
-
MD5
af5701e6c5f9bd86f09a46875323fbfc
-
SHA1
02429e66570b6b347c3357c559d27e5211f11eb1
-
SHA256
24c7551200e919fc0bdce151aef784c0c324c81a337a8bf70e67cfebf1abae0d
-
SHA512
b73d3296ce25058d7b6f2560cb66af5bd066c11ed46570d82106aaf1c08ccdfbce8adfd322008ddfacb968254372f277d2aa1ea7459399dda687c0a85a030c64
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Emotet Payload
Detects Emotet payload in memory.
-
Blacklisted process makes network request
-
Executes dropped EXE
-
Drops file in System32 directory
-
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation