General

  • Target

    9f01a1f41afb800dc19b023fa3a864efcc17a6c0624897ae4326e695ceb6d893

  • Size

    179KB

  • Sample

    201027-589a9c24d6

  • MD5

    195b26f04a16b641bdcecc5084ca815d

  • SHA1

    8b87e7f06c75a926103c28fd0b7b8fab532af1a4

  • SHA256

    9f01a1f41afb800dc19b023fa3a864efcc17a6c0624897ae4326e695ceb6d893

  • SHA512

    54591f496f64ecbb54158c0c175a3499b4cd7fc346bef6a5439f31f783068dcefc4f626f0e11d72607817103fa9e6c9fb0e85ef4ce146cec491dcd3d0aed3236

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://car4libya.com/cgi-bin/sDBhPqx/

exe.dropper

http://ostranderandassociates.com/var/thpY/

exe.dropper

http://acredales.com/thank_you/U0u9Z/

exe.dropper

http://scw8.net/wp-content/1MkWc/

exe.dropper

https://adinterix.com/laybuy-investors/9Ab6/

exe.dropper

http://uxnew.com/old/9/

exe.dropper

http://www.queensport.nl/accp/dz/

exe.dropper

https://bahamianrelief.org/VpHo/ey/

Extracted

Family

emotet

Botnet

Epoch2

C2

67.163.161.107:80

107.170.146.252:8080

173.212.214.235:7080

167.114.153.111:8080

185.94.252.104:443

110.142.236.207:80

194.187.133.160:443

218.147.193.146:80

172.104.97.173:8080

216.139.123.119:80

50.91.114.38:80

202.134.4.211:8080

113.61.66.94:80

139.99.158.11:443

62.171.142.179:8080

37.139.21.175:8080

190.108.228.27:443

94.23.237.171:443

154.91.33.137:443

201.241.127.190:80

rsa_pubkey.plain

Targets

    • Target

      9f01a1f41afb800dc19b023fa3a864efcc17a6c0624897ae4326e695ceb6d893

    • Size

      179KB

    • MD5

      195b26f04a16b641bdcecc5084ca815d

    • SHA1

      8b87e7f06c75a926103c28fd0b7b8fab532af1a4

    • SHA256

      9f01a1f41afb800dc19b023fa3a864efcc17a6c0624897ae4326e695ceb6d893

    • SHA512

      54591f496f64ecbb54158c0c175a3499b4cd7fc346bef6a5439f31f783068dcefc4f626f0e11d72607817103fa9e6c9fb0e85ef4ce146cec491dcd3d0aed3236

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Emotet Payload

      Detects Emotet payload in memory.

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks