General

  • Target

    a49020010a8e7d4bc405bcc23b9351dc19467c3d466e2d903c6df903668d51cc

  • Size

    132KB

  • Sample

    201014-ckqh4hewrn

  • MD5

    40409631a9fb83e1ab8d02c2f8fa216d

  • SHA1

    e6b8170c2ca200cb38d26a9ad836bc596d38ba6d

  • SHA256

    a49020010a8e7d4bc405bcc23b9351dc19467c3d466e2d903c6df903668d51cc

  • SHA512

    b83ee57533375a8642b71463cbdf27f9ccfdea2d71ed90f21c4bbe4942276c2519446d0c15548d36d985dd9b999be0f946934a8261b5e1a85a8adafc6c89e3ea

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://newcarturkiye.com/wp-admin/Sbp/

exe.dropper

http://lilianwmina.com/wp-includes/Y/

exe.dropper

http://hbmonte.com/wp-content/wer/

exe.dropper

http://thewakestudio.com/wp-admin/3D/

exe.dropper

http://formedbyme.com/wp-content/3e/

exe.dropper

http://unitedway.giving.agency/sys-cache/XnT/

exe.dropper

http://partners.ripplealpha.com/data/ultimatemember/L/

Extracted

Family

emotet

Botnet

Epoch1

C2

188.157.101.114:80

192.175.111.214:8080

95.85.33.23:8080

192.232.229.54:7080

181.30.61.163:443

186.70.127.199:8090

200.127.14.97:80

70.169.17.134:80

24.232.228.233:80

172.104.169.32:8080

50.28.51.143:8080

177.73.0.98:443

149.202.72.142:7080

37.187.161.206:8080

202.29.239.162:443

213.197.182.158:8080

202.134.4.210:7080

190.24.243.186:80

201.213.177.139:80

105.209.235.113:8080

rsa_pubkey.plain

Targets

    • Target

      a49020010a8e7d4bc405bcc23b9351dc19467c3d466e2d903c6df903668d51cc

    • Size

      132KB

    • MD5

      40409631a9fb83e1ab8d02c2f8fa216d

    • SHA1

      e6b8170c2ca200cb38d26a9ad836bc596d38ba6d

    • SHA256

      a49020010a8e7d4bc405bcc23b9351dc19467c3d466e2d903c6df903668d51cc

    • SHA512

      b83ee57533375a8642b71463cbdf27f9ccfdea2d71ed90f21c4bbe4942276c2519446d0c15548d36d985dd9b999be0f946934a8261b5e1a85a8adafc6c89e3ea

    Score
    10/10
    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Emotet Payload

      Detects Emotet payload in memory.

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Drops file in System32 directory

MITRE ATT&CK Matrix

Tasks