General

  • Target

    emotet_e1_ed4e87a802acc318ecb56a046a99bfeb0c32426bb59be290ec25a813fa76d92e_2020-10-27__121346399823._fpx

  • Size

    179KB

  • Sample

    201027-8rsbmrwc2s

  • MD5

    b92b6b8368d2bb53eda2b70de6c13130

  • SHA1

    edaa0e5b0279a37cc5f8564d4f1b21ee9f99c382

  • SHA256

    ed4e87a802acc318ecb56a046a99bfeb0c32426bb59be290ec25a813fa76d92e

  • SHA512

    d19c77cffd09796a184df7a8b0e4275a84fdd1320f4864ae4133e3c9982882c302f02b112bcdfdcdf57c8202984eac94853da509b280f36d2e99d3ed5a873962

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://www.royalempresshair.com/wp-content/upgrade/Ete/

exe.dropper

http://kbppp.ilmci.com/wp-includes/z/

exe.dropper

http://tiplabor.com/images/Du1/

exe.dropper

http://0377hhd.com/cgi-bin/q/

exe.dropper

https://sorbonne-capital.com/wp-admin/Jip/

exe.dropper

https://dijitalklinik.com/wp-admin/LYq/

exe.dropper

https://www.qualitymathtutors.com/wp-content/GfE/

Extracted

Family

emotet

Botnet

Epoch1

C2

45.16.226.117:443

104.131.92.244:8080

70.39.251.94:8080

87.230.25.43:8080

186.189.249.2:80

209.236.123.42:8080

5.196.35.138:7080

45.33.77.42:8080

46.43.2.95:8080

24.135.69.146:80

103.236.179.162:80

190.92.122.226:80

201.71.228.86:80

68.183.170.114:8080

183.176.82.231:80

168.197.45.36:80

152.169.22.67:80

111.67.12.221:8080

51.75.33.127:80

186.70.127.199:8090

rsa_pubkey.plain

Targets

    • Target

      emotet_e1_ed4e87a802acc318ecb56a046a99bfeb0c32426bb59be290ec25a813fa76d92e_2020-10-27__121346399823._fpx

    • Size

      179KB

    • MD5

      b92b6b8368d2bb53eda2b70de6c13130

    • SHA1

      edaa0e5b0279a37cc5f8564d4f1b21ee9f99c382

    • SHA256

      ed4e87a802acc318ecb56a046a99bfeb0c32426bb59be290ec25a813fa76d92e

    • SHA512

      d19c77cffd09796a184df7a8b0e4275a84fdd1320f4864ae4133e3c9982882c302f02b112bcdfdcdf57c8202984eac94853da509b280f36d2e99d3ed5a873962

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Emotet Payload

      Detects Emotet payload in memory.

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks