Overview

overview

10

Static

static

8

emotet_e1_...px.doc

windows7_x64

10

emotet_e1_...px.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    emotet_e1_45e691f571f8909970ad0e971e3938bcb3b65f8c0f741213b9dfe6cd64ba5062_2020-10-26__121000216987._fpx

  • Size

    167KB

  • Sample

    201026-kfxsaew8d2

  • MD5

    25c855ae9ffa280bc8397500ef0b1c2e

  • SHA1

    c5f7ffc4f84e2494473277d797207c092bb59adb

  • SHA256

    45e691f571f8909970ad0e971e3938bcb3b65f8c0f741213b9dfe6cd64ba5062

  • SHA512

    5ba37671f54c349f74cb370edea971f78794d98ee03c627f1018231682df738943a8eae4b14d7420b20101d494a7ced6c712967ac35c78c4eab6ead4ea987476

Score
10/10
emotetepoch1bankermacrotrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://innhanmacquanaogiare.com/wp-includes/Jh1/
exe.dropper

http://www.edgeclothingmcr.com/indexing/c9/
exe.dropper

https://thepremiumplace.com/wp-content/5/
exe.dropper

https://florinconsultancy.com/wp-content/1/
exe.dropper

https://udaysolopiano.com/wp-content/J/
exe.dropper

https://sanayate.com/wp-includes/hd/
exe.dropper

https://www.jorgecoronel.com/webmaster/kYH/

Extracted

Family

emotet

Botnet

Epoch1

C2

81.214.253.80:443

94.23.62.116:8080

98.103.204.12:443

59.148.253.194:8080

197.232.36.108:80

74.58.215.226:80

79.118.74.90:80

181.123.6.86:80

5.89.33.136:80

137.74.106.111:7080

189.223.16.99:80

187.162.248.237:80

181.61.182.143:80

129.232.220.11:8080

178.211.45.66:8080

45.33.77.42:8080

94.176.234.118:443

128.92.203.42:80

12.162.84.2:8080

212.71.237.140:8080
rsa_pubkey.plain

Targets

    • Target

      emotet_e1_45e691f571f8909970ad0e971e3938bcb3b65f8c0f741213b9dfe6cd64ba5062_2020-10-26__121000216987._fpx

    • Size

      167KB

    • MD5

      25c855ae9ffa280bc8397500ef0b1c2e

    • SHA1

      c5f7ffc4f84e2494473277d797207c092bb59adb

    • SHA256

      45e691f571f8909970ad0e971e3938bcb3b65f8c0f741213b9dfe6cd64ba5062

    • SHA512

      5ba37671f54c349f74cb370edea971f78794d98ee03c627f1018231682df738943a8eae4b14d7420b20101d494a7ced6c712967ac35c78c4eab6ead4ea987476

    Score
    10/10
    trojanbankeremotet

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Emotet Payload

      Detects Emotet payload in memory.

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks