Overview

overview

10

Static

static

8

emotet_e2_...oc.doc

windows7_x64

10

emotet_e2_...oc.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    emotet_e2_a17adf48e5d1001ed87a1af31344545ee83df584126c6ade083cdec6fd158105_2020-09-19__110021344124._doc

  • Size

    190KB

  • Sample

    200919-yjw4t42hl2

  • MD5

    20a7e39bcf88cff49e2a9b208ddd1243

  • SHA1

    34d64c9c65204a425f5efa5a9b9ccb93341f5e5b

  • SHA256

    a17adf48e5d1001ed87a1af31344545ee83df584126c6ade083cdec6fd158105

  • SHA512

    cc75b42be394e07954fc4b3a4c031cbbb248a62d42ec8a3cd294f303bf8c80301d1f142f4617bec8938e9bd63ac7fb61ce0e6ae194f2c023230f9be1432bcd45

Score
10/10
emotetepoch2bankermacrotrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://geisterhouse.com/cgi-bin/LAb1/
exe.dropper

http://amyemitchell.com/themes/w/
exe.dropper

http://forestanalytics.net/images/57A7/
exe.dropper

https://konican.com/cgi-bin/cWu/
exe.dropper

http://strike3productions.com/squad/3aV6xrH/
exe.dropper

http://riandutra.com/img/wOMENgh/
exe.dropper

http://justinscott.com.au/sites/rRS/

Extracted

Family

emotet

Botnet

Epoch2

C2

71.72.196.159:80

134.209.36.254:8080

120.138.30.150:8080

94.23.216.33:80

157.245.99.39:8080

137.59.187.107:8080

94.23.237.171:443

61.19.246.238:443

156.155.166.221:80

50.35.17.13:80

153.137.36.142:80

91.211.88.52:7080

209.141.54.221:8080

185.94.252.104:443

174.45.13.118:80

87.106.136.232:8080

62.75.141.82:80

213.196.135.145:80

188.219.31.12:80

82.80.155.43:80
rsa_pubkey.plain

Targets

    • Target

      emotet_e2_a17adf48e5d1001ed87a1af31344545ee83df584126c6ade083cdec6fd158105_2020-09-19__110021344124._doc

    • Size

      190KB

    • MD5

      20a7e39bcf88cff49e2a9b208ddd1243

    • SHA1

      34d64c9c65204a425f5efa5a9b9ccb93341f5e5b

    • SHA256

      a17adf48e5d1001ed87a1af31344545ee83df584126c6ade083cdec6fd158105

    • SHA512

      cc75b42be394e07954fc4b3a4c031cbbb248a62d42ec8a3cd294f303bf8c80301d1f142f4617bec8938e9bd63ac7fb61ce0e6ae194f2c023230f9be1432bcd45

    Score
    10/10
    trojanbankeremotet

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Emotet Payload

      Detects Emotet payload in memory.

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks