General

  • Target

    emotet_e1_63ba733a424e0e8faca60800df859696e15df38315049068bc30c559f9230b5b_2020-10-27__152327744649._fpx

  • Size

    164KB

  • Sample

    201027-3rjhevszln

  • MD5

    98c8436a64207c603fe83b9cf018db0a

  • SHA1

    2b6c534d72f69ca4cd92660774b3b3b9becbacdb

  • SHA256

    63ba733a424e0e8faca60800df859696e15df38315049068bc30c559f9230b5b

  • SHA512

    07c5b2df22d26a5b66555becf30719bafab7ac3841488d97bc73bbf18ef99a8bdcbef816d7768e2b9874b44d59107257c442fed2c8c954457dc064503f15d553

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://hashilife.com/sitepage/GY/

exe.dropper

http://anjia-ceramics.com/aliner-camper/K/

exe.dropper

https://monicasharma.info/reviewl/i/

exe.dropper

http://adidasyeezy.store/welph/m/

exe.dropper

http://econews.treegle.org/how-to/2V/

exe.dropper

http://quicktowtowing.com/wp-content/mu-plugins/uMM/

exe.dropper

https://timsonntag.com/cgi-bin/g/

Extracted

Family

emotet

Botnet

Epoch1

C2

78.206.229.130:80

104.131.92.244:8080

70.39.251.94:8080

87.230.25.43:8080

79.118.74.90:80

82.76.111.249:443

82.76.52.155:80

212.71.237.140:8080

188.251.213.180:80

103.236.179.162:80

1.226.84.243:8080

70.32.84.74:8080

2.84.12.98:80

201.213.177.139:80

177.73.0.98:443

170.81.48.2:80

129.232.220.11:8080

177.144.130.105:8080

213.52.74.198:80

120.72.18.91:80

rsa_pubkey.plain

Targets

    • Target

      emotet_e1_63ba733a424e0e8faca60800df859696e15df38315049068bc30c559f9230b5b_2020-10-27__152327744649._fpx

    • Size

      164KB

    • MD5

      98c8436a64207c603fe83b9cf018db0a

    • SHA1

      2b6c534d72f69ca4cd92660774b3b3b9becbacdb

    • SHA256

      63ba733a424e0e8faca60800df859696e15df38315049068bc30c559f9230b5b

    • SHA512

      07c5b2df22d26a5b66555becf30719bafab7ac3841488d97bc73bbf18ef99a8bdcbef816d7768e2b9874b44d59107257c442fed2c8c954457dc064503f15d553

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Emotet Payload

      Detects Emotet payload in memory.

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks