General

  • Target

    emotet_e3_5177894154a2ad0d67c6ea62534a27cdc18b7cfe9c73c8ec6071d72fb8c198a2_2020-10-28__210710214423._fpx

  • Size

    224KB

  • Sample

    201028-cygq3agmbj

  • MD5

    f87d49246f2654da56ae321bdc8b58d8

  • SHA1

    ef8f3f04dd249fa7dbc737d7d346020ff308f94f

  • SHA256

    5177894154a2ad0d67c6ea62534a27cdc18b7cfe9c73c8ec6071d72fb8c198a2

  • SHA512

    fb02be18f2ea24f0e0a970fd517dddce90c923cbdb3d1e0137031cfe0780741170ff6379dc10c5fd586e3109fa49d95a00a99ef55122b19f1b2ff730675567dc

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://getpranaveda.xyz/wp-admin/yz/

exe.dropper

http://xinhecun.cn/wp-content/VCNbWWDK/

exe.dropper

https://www.apeduti.com.br/wp-includes/XN2wg26v/

exe.dropper

http://heankan.bio/js/Rb/

exe.dropper

https://sheen-vietnam.vn/wp-content/qtg2J6XhZ/

exe.dropper

https://madrushdigital.com/wp-admin/PJi/

exe.dropper

https://lunabituyelik.com/wp-content/fWd0/

Extracted

Family

emotet

Botnet

Epoch3

C2

152.32.75.74:443

91.121.200.35:8080

159.203.16.11:8080

188.226.165.170:8080

172.193.79.237:80

123.216.134.52:80

183.91.3.63:80

139.59.61.215:443

185.80.172.199:80

77.74.78.80:443

153.229.219.1:443

113.203.238.130:80

120.51.34.254:80

116.202.10.123:8080

5.2.246.108:80

50.116.78.109:8080

103.80.51.61:8080

190.55.186.229:80

185.142.236.163:443

223.17.215.76:80

rsa_pubkey.plain

Targets

    • Target

      emotet_e3_5177894154a2ad0d67c6ea62534a27cdc18b7cfe9c73c8ec6071d72fb8c198a2_2020-10-28__210710214423._fpx

    • Size

      224KB

    • MD5

      f87d49246f2654da56ae321bdc8b58d8

    • SHA1

      ef8f3f04dd249fa7dbc737d7d346020ff308f94f

    • SHA256

      5177894154a2ad0d67c6ea62534a27cdc18b7cfe9c73c8ec6071d72fb8c198a2

    • SHA512

      fb02be18f2ea24f0e0a970fd517dddce90c923cbdb3d1e0137031cfe0780741170ff6379dc10c5fd586e3109fa49d95a00a99ef55122b19f1b2ff730675567dc

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Emotet Payload

      Detects Emotet payload in memory.

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Drops file in System32 directory

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

          Execution

            Exfiltration

              Impact

                Initial Access

                  Lateral Movement

                    Persistence

                      Privilege Escalation

                        Tasks