General

  • Target

    XALMED20.09.doc

  • Size

    177KB

  • Sample

    200919-9ekby6n5bn

  • MD5

    f6a580f88f6dbfd6956b28722f185f07

  • SHA1

    facc968dfb54541696eb9d4476a36daaa842bba2

  • SHA256

    8bd63f4df520f7e19b6a4fab160f031355c3d2b130db510345f91328e2548f54

  • SHA512

    72e80f751eda5cfc2ea1963313496e98574420437d6ee29d3e2b536168d4902c0a0aecff140d3e312bff3b2e7bb99c0e3c65c16c349785393d87cd9b6e0f3bbc

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://reseller-demo-website.com/discussion/qWWf8FS/

exe.dropper

https://www.mockdumps.com/test/Z2pJ/

exe.dropper

https://twisterprint.com/chrometheme/Vcr/

exe.dropper

http://simulations.org/rw_common/KfX2MW/

exe.dropper

http://planosdesaudesemcarencia.com/erros/JHoq/

exe.dropper

https://viaje-achina.com/wp-admin/A1O8tL/

exe.dropper

https://cearacultural.com.br/turismo/oy/

Extracted

Family

emotet

Botnet

Epoch2

C2

71.72.196.159:80

134.209.36.254:8080

120.138.30.150:8080

94.23.216.33:80

157.245.99.39:8080

137.59.187.107:8080

94.23.237.171:443

61.19.246.238:443

156.155.166.221:80

50.35.17.13:80

153.137.36.142:80

91.211.88.52:7080

209.141.54.221:8080

185.94.252.104:443

174.45.13.118:80

87.106.136.232:8080

62.75.141.82:80

213.196.135.145:80

188.219.31.12:80

82.80.155.43:80

rsa_pubkey.plain

Targets

    • Target

      XALMED20.09.doc

    • Size

      177KB

    • MD5

      f6a580f88f6dbfd6956b28722f185f07

    • SHA1

      facc968dfb54541696eb9d4476a36daaa842bba2

    • SHA256

      8bd63f4df520f7e19b6a4fab160f031355c3d2b130db510345f91328e2548f54

    • SHA512

      72e80f751eda5cfc2ea1963313496e98574420437d6ee29d3e2b536168d4902c0a0aecff140d3e312bff3b2e7bb99c0e3c65c16c349785393d87cd9b6e0f3bbc

    Score
    10/10
    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Emotet Payload

      Detects Emotet payload in memory.

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks