General

  • Target

    aa7280fb05501f752d412d103bd48c86094cc49ea8f3d9f6b3ab458a64997f63

  • Size

    142KB

  • Sample

    201015-95q2r1vena

  • MD5

    0b5d5c4468a31e83e1ec8a0d8b120496

  • SHA1

    68ac3e73c7bb88172984109977a8dc0f2c095522

  • SHA256

    aa7280fb05501f752d412d103bd48c86094cc49ea8f3d9f6b3ab458a64997f63

  • SHA512

    44b5682ac2f14a0de257bcab0eb42fc725536be8d9ecc432ca3a19ff3425c9b867a85b3d3b37cb1416f76b51d86ae2fcb563641f9fd6b18de0b34024dbc48fd1

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://ziaonlinetutor.com/wp-content/a/

exe.dropper

https://bharatlearningsolutions.com/content/MNd/

exe.dropper

https://trungtammtc.com/wp-admin/LP/

exe.dropper

http://bigprint.pictures/cgi-bin/o/

exe.dropper

https://avozdecamacari.com/home/000~ROOT~000/dev/shm/E/

exe.dropper

https://calculafacturaluz.com/sys-cache/9W/

exe.dropper

http://evisualsoft-001-site3.atempurl.com/wp-content/C7/

Extracted

Family

emotet

Botnet

Epoch1

C2

188.157.101.114:80

192.175.111.214:8080

95.85.33.23:8080

192.232.229.54:7080

181.30.61.163:443

186.70.127.199:8090

200.127.14.97:80

70.169.17.134:80

24.232.228.233:80

172.104.169.32:8080

50.28.51.143:8080

177.73.0.98:443

149.202.72.142:7080

37.187.161.206:8080

202.29.239.162:443

213.197.182.158:8080

202.134.4.210:7080

190.24.243.186:80

201.213.177.139:80

105.209.235.113:8080

rsa_pubkey.plain

Targets

    • Target

      aa7280fb05501f752d412d103bd48c86094cc49ea8f3d9f6b3ab458a64997f63

    • Size

      142KB

    • MD5

      0b5d5c4468a31e83e1ec8a0d8b120496

    • SHA1

      68ac3e73c7bb88172984109977a8dc0f2c095522

    • SHA256

      aa7280fb05501f752d412d103bd48c86094cc49ea8f3d9f6b3ab458a64997f63

    • SHA512

      44b5682ac2f14a0de257bcab0eb42fc725536be8d9ecc432ca3a19ff3425c9b867a85b3d3b37cb1416f76b51d86ae2fcb563641f9fd6b18de0b34024dbc48fd1

    Score
    10/10
    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Emotet Payload

      Detects Emotet payload in memory.

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Drops file in System32 directory

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

          Discovery

            Execution

              Exfiltration

                Impact

                  Initial Access

                    Lateral Movement

                      Persistence

                        Privilege Escalation

                          Tasks