General

  • Target

    emotet_e1_7933d8d9847728baa3c56f3d63a5539deb3a9260f1d7e03df15affdaed3a57b9_2020-09-23__170016437769._doc

  • Size

    160KB

  • Sample

    200923-ctjlyvgcv6

  • MD5

    0ed5a42c5691a1ab4c27bf8c2aed5210

  • SHA1

    2d43412fc8c55c9a2d7a2c2d3f18c6adc96f867d

  • SHA256

    7933d8d9847728baa3c56f3d63a5539deb3a9260f1d7e03df15affdaed3a57b9

  • SHA512

    16034e9b9931d93b0f245f86fa4efb5aeabd86d9840087a86d1b691262703d6cd2b945fafe1a8044a87e5c7adf14eab0a1a01d4eb0fbbed6a840885276ebfe76

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://khobormalda.com/wp-content/82/

exe.dropper

http://blog.zunapro.com/wp-admin/LEE/

exe.dropper

http://megasolucoesti.com/R9KDq0O8w/Y/

exe.dropper

https://online24h.biz/wp-admin/K/

exe.dropper

https://fepami.com/wp-includes/eaI/

exe.dropper

http://ora-ks.com/system/cache/w/

exe.dropper

http://padamagro.com/wp-admin/Nc/

Extracted

Family

emotet

Botnet

Epoch1

C2

12.163.208.58:80

45.33.35.74:8080

87.106.253.248:8080

192.241.146.84:8080

190.115.18.139:8080

65.36.62.20:80

170.81.48.2:80

83.169.21.32:7080

185.232.182.218:80

190.2.31.172:80

77.106.157.34:8080

82.230.1.24:80

202.4.58.197:80

201.213.177.139:80

78.249.119.122:80

123.51.47.18:80

77.90.136.129:8080

60.93.23.51:80

152.169.22.67:80

190.117.79.209:80

rsa_pubkey.plain

Targets

    • Target

      emotet_e1_7933d8d9847728baa3c56f3d63a5539deb3a9260f1d7e03df15affdaed3a57b9_2020-09-23__170016437769._doc

    • Size

      160KB

    • MD5

      0ed5a42c5691a1ab4c27bf8c2aed5210

    • SHA1

      2d43412fc8c55c9a2d7a2c2d3f18c6adc96f867d

    • SHA256

      7933d8d9847728baa3c56f3d63a5539deb3a9260f1d7e03df15affdaed3a57b9

    • SHA512

      16034e9b9931d93b0f245f86fa4efb5aeabd86d9840087a86d1b691262703d6cd2b945fafe1a8044a87e5c7adf14eab0a1a01d4eb0fbbed6a840885276ebfe76

    Score
    10/10
    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Emotet Payload

      Detects Emotet payload in memory.

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks