General
-
Target
emotet_e1_7933d8d9847728baa3c56f3d63a5539deb3a9260f1d7e03df15affdaed3a57b9_2020-09-23__170016437769._doc
-
Size
160KB
-
Sample
200923-ctjlyvgcv6
-
MD5
0ed5a42c5691a1ab4c27bf8c2aed5210
-
SHA1
2d43412fc8c55c9a2d7a2c2d3f18c6adc96f867d
-
SHA256
7933d8d9847728baa3c56f3d63a5539deb3a9260f1d7e03df15affdaed3a57b9
-
SHA512
16034e9b9931d93b0f245f86fa4efb5aeabd86d9840087a86d1b691262703d6cd2b945fafe1a8044a87e5c7adf14eab0a1a01d4eb0fbbed6a840885276ebfe76
Static task
static1
Malware Config
Extracted
http://khobormalda.com/wp-content/82/
http://blog.zunapro.com/wp-admin/LEE/
http://megasolucoesti.com/R9KDq0O8w/Y/
https://online24h.biz/wp-admin/K/
https://fepami.com/wp-includes/eaI/
http://ora-ks.com/system/cache/w/
http://padamagro.com/wp-admin/Nc/
Extracted
emotet
Epoch1
12.163.208.58:80
45.33.35.74:8080
87.106.253.248:8080
192.241.146.84:8080
190.115.18.139:8080
65.36.62.20:80
170.81.48.2:80
83.169.21.32:7080
185.232.182.218:80
190.2.31.172:80
77.106.157.34:8080
82.230.1.24:80
202.4.58.197:80
201.213.177.139:80
78.249.119.122:80
123.51.47.18:80
77.90.136.129:8080
60.93.23.51:80
152.169.22.67:80
190.117.79.209:80
60.108.144.104:443
213.197.182.158:8080
82.76.111.249:443
209.236.123.42:8080
190.24.243.186:80
177.74.228.34:80
191.182.6.118:80
96.245.123.149:80
61.197.92.216:80
1.226.84.243:8080
111.67.12.221:8080
216.47.196.104:80
185.94.252.27:443
70.116.143.84:80
187.162.248.237:80
217.13.106.14:8080
80.11.164.185:80
35.143.99.174:80
190.190.148.27:8080
219.92.13.25:80
70.32.115.157:8080
96.227.52.8:443
51.75.33.127:80
95.9.180.128:80
174.113.69.136:80
119.106.216.84:80
111.67.77.202:8080
91.105.94.200:80
178.250.54.208:8080
98.13.75.196:80
2.36.95.106:80
186.70.127.199:8090
116.202.23.3:8080
202.134.4.210:7080
50.28.51.143:8080
45.33.77.42:8080
67.247.242.247:80
137.74.106.111:7080
85.214.26.7:8080
181.30.61.163:443
77.238.212.227:80
185.215.227.107:443
186.103.141.250:443
50.121.220.50:80
74.136.144.133:80
104.131.41.185:8080
61.92.159.208:8080
104.131.103.37:8080
51.15.7.189:80
185.94.252.12:80
94.176.234.118:443
212.71.237.140:8080
5.196.35.138:7080
45.46.37.97:80
70.32.84.74:8080
199.203.62.165:80
38.88.126.202:8080
51.159.23.217:443
155.186.0.121:80
51.38.124.206:80
181.129.96.162:8080
64.201.88.132:80
92.24.50.153:80
189.2.177.210:443
45.16.226.117:443
76.168.54.203:80
185.178.10.77:80
220.109.145.69:80
192.81.38.31:80
68.183.170.114:8080
177.73.0.98:443
138.97.60.141:7080
192.241.143.52:8080
217.199.160.224:7080
185.183.16.47:80
177.129.17.170:443
5.189.178.202:8080
74.58.215.226:80
51.255.165.160:8080
12.162.84.2:8080
149.202.72.142:7080
87.106.46.107:8080
188.135.15.49:80
68.183.190.199:8080
172.104.169.32:8080
68.69.155.181:80
72.47.248.48:7080
Targets
-
-
Target
emotet_e1_7933d8d9847728baa3c56f3d63a5539deb3a9260f1d7e03df15affdaed3a57b9_2020-09-23__170016437769._doc
-
Size
160KB
-
MD5
0ed5a42c5691a1ab4c27bf8c2aed5210
-
SHA1
2d43412fc8c55c9a2d7a2c2d3f18c6adc96f867d
-
SHA256
7933d8d9847728baa3c56f3d63a5539deb3a9260f1d7e03df15affdaed3a57b9
-
SHA512
16034e9b9931d93b0f245f86fa4efb5aeabd86d9840087a86d1b691262703d6cd2b945fafe1a8044a87e5c7adf14eab0a1a01d4eb0fbbed6a840885276ebfe76
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Emotet Payload
Detects Emotet payload in memory.
-
Blacklisted process makes network request
-
Executes dropped EXE
-
Drops file in System32 directory
-
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation