emotet

General

Target

BGH20-09-19.doc
Size

176KB
Sample

200919-sgjy51xvm2
MD5

7b417bda48e55ebe403062bd1f73a0f0
SHA1

0a53abaed34e19029521a6e4c5e242073e141679
SHA256

affed3213d862973b6b898d64a6821885622443531cc1bba025346102927c082
SHA512

777a550fa9f07eac1cfcf44169eaea56efeaf6e80c15025d010bb3cecb57aef350c12f8413fa5d6fd2e7445c4235b1b045f7cd14c1eae5b445b248f1919a2d62

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://reseller-demo-website.com/discussion/qWWf8FS/

exe.dropper

https://www.mockdumps.com/test/Z2pJ/

exe.dropper

https://twisterprint.com/chrometheme/Vcr/

exe.dropper

http://simulations.org/rw_common/KfX2MW/

exe.dropper

http://planosdesaudesemcarencia.com/erros/JHoq/

exe.dropper

https://viaje-achina.com/wp-admin/A1O8tL/

exe.dropper

https://cearacultural.com.br/turismo/oy/

Extracted

Family

emotet

Botnet

Epoch2

C2

71.72.196.159:80

134.209.36.254:8080

120.138.30.150:8080

94.23.216.33:80

157.245.99.39:8080

137.59.187.107:8080

94.23.237.171:443

61.19.246.238:443

156.155.166.221:80

50.35.17.13:80

153.137.36.142:80

91.211.88.52:7080

209.141.54.221:8080

185.94.252.104:443

174.45.13.118:80

87.106.136.232:8080

62.75.141.82:80

213.196.135.145:80

188.219.31.12:80

82.80.155.43:80

rsa_pubkey.plain

Targets

- Target
  
  BGH20-09-19.doc
- Size
  
  176KB
- MD5
  
  7b417bda48e55ebe403062bd1f73a0f0
- SHA1
  
  0a53abaed34e19029521a6e4c5e242073e141679
- SHA256
  
  affed3213d862973b6b898d64a6821885622443531cc1bba025346102927c082
- SHA512
  
  777a550fa9f07eac1cfcf44169eaea56efeaf6e80c15025d010bb3cecb57aef350c12f8413fa5d6fd2e7445c4235b1b045f7cd14c1eae5b445b248f1919a2d62
Score

10^/10

trojan banker emotet
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Emotet Payload
  Detects Emotet payload in memory.
- Blacklisted process makes network request
- Executes dropped EXE
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Process spawned unexpected child process

Emotet Payload

Blacklisted process makes network request

Executes dropped EXE

Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2