General

  • Target

    emotet_e2_6d8117453777b13dbab5c583bdcb52b56cfc5dcdba308238eda98a5bbfd95495_2020-10-27__231258998145._fpx

  • Size

    191KB

  • Sample

    201027-55z4d934c2

  • MD5

    5380ac7e6bb601430d526324efcb3be1

  • SHA1

    3a2e6649282590cf90ad5438966c96d412ac11ec

  • SHA256

    6d8117453777b13dbab5c583bdcb52b56cfc5dcdba308238eda98a5bbfd95495

  • SHA512

    246ccb0a5b1abc6a248d4e34affeb0607d4df20f6d39a16a498da56d4125fbd778be4a2b4e6b02f0f4b3f1d494101a2c5edc227cdd969a88cca0efaf1591ffe2

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://mueindustries.com/wp-admin/D/

exe.dropper

http://biharbhumibazar.com/wp-admin/D/

exe.dropper

http://jiehost.com/wp-admin/6ZFh6A/

exe.dropper

http://fit.develab.mx/wp-admin/sjai4FA/

exe.dropper

http://weeklyoutfits.com/how-much/zw2z/

exe.dropper

http://personalizedjigsaws.com/replace_img/qG6D9T/

exe.dropper

http://stabri-thailand.org/cgi-bin/1GKI/

exe.dropper

http://odmova.pl/retranslate/OqLdry/

Extracted

Family

emotet

Botnet

Epoch2

C2

88.153.35.32:80

107.170.146.252:8080

173.212.214.235:7080

167.114.153.111:8080

67.170.250.203:443

121.124.124.40:7080

103.86.49.11:8080

74.214.230.200:80

194.187.133.160:443

172.104.97.173:8080

172.91.208.86:80

200.116.145.225:443

202.134.4.216:8080

172.105.13.66:443

190.164.104.62:80

50.35.17.13:80

176.111.60.55:8080

201.241.127.190:80

66.76.12.94:8080

95.213.236.64:8080

rsa_pubkey.plain

Targets

    • Target

      emotet_e2_6d8117453777b13dbab5c583bdcb52b56cfc5dcdba308238eda98a5bbfd95495_2020-10-27__231258998145._fpx

    • Size

      191KB

    • MD5

      5380ac7e6bb601430d526324efcb3be1

    • SHA1

      3a2e6649282590cf90ad5438966c96d412ac11ec

    • SHA256

      6d8117453777b13dbab5c583bdcb52b56cfc5dcdba308238eda98a5bbfd95495

    • SHA512

      246ccb0a5b1abc6a248d4e34affeb0607d4df20f6d39a16a498da56d4125fbd778be4a2b4e6b02f0f4b3f1d494101a2c5edc227cdd969a88cca0efaf1591ffe2

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Emotet Payload

      Detects Emotet payload in memory.

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks