General

  • Target

    emotet_e1_75fc337dd52e7d9cd46cb3a7938551eeefc05a67075a62e6442a0b6501c4fd0a_2020-10-29__125734253876._doc

  • Size

    288KB

  • Sample

    201029-7vz5x9t6c6

  • MD5

    04d224ec52eb178906699f26756254fa

  • SHA1

    b9387fc3417846ce5f567e258644b6b45d7c135e

  • SHA256

    75fc337dd52e7d9cd46cb3a7938551eeefc05a67075a62e6442a0b6501c4fd0a

  • SHA512

    2916a9630eb386bd6694d456c47c8b173289fd866a4787d25b3fd8b7906f5670c14eea5f1b13a283772d28c9159ba1c8bde03c8f97826c0b83b52527a45b4e8d

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://innhanmachn.com/wp-admin/sA/

exe.dropper

http://shomalhouse.com/wp-includes/ID3/IDz/

exe.dropper

http://blog.martyrolnick.com/wp-admin/Spq/

exe.dropper

https://www.frajamomadrid.com/wp-content/g/

exe.dropper

https://pesquisacred.com/vmware-unlocker/daC/

exe.dropper

https://medhempfarm.com/wp-admin/Lb/

exe.dropper

http://ienglishabc.com/cow/2BB/

Extracted

Family

emotet

Botnet

Epoch1

C2

192.198.91.138:443

70.39.251.94:8080

87.230.25.43:8080

94.23.62.116:8080

128.92.203.42:80

2.45.176.233:80

202.134.4.210:7080

46.101.58.37:8080

12.163.208.58:80

200.24.255.23:80

76.121.199.225:80

186.193.229.123:80

190.24.243.186:80

201.71.228.86:80

188.251.213.180:80

201.49.239.200:443

104.131.41.185:8080

172.104.169.32:8080

37.187.161.206:8080

70.32.84.74:8080

rsa_pubkey.plain

Targets

    • Target

      emotet_e1_75fc337dd52e7d9cd46cb3a7938551eeefc05a67075a62e6442a0b6501c4fd0a_2020-10-29__125734253876._doc

    • Size

      288KB

    • MD5

      04d224ec52eb178906699f26756254fa

    • SHA1

      b9387fc3417846ce5f567e258644b6b45d7c135e

    • SHA256

      75fc337dd52e7d9cd46cb3a7938551eeefc05a67075a62e6442a0b6501c4fd0a

    • SHA512

      2916a9630eb386bd6694d456c47c8b173289fd866a4787d25b3fd8b7906f5670c14eea5f1b13a283772d28c9159ba1c8bde03c8f97826c0b83b52527a45b4e8d

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Emotet Payload

      Detects Emotet payload in memory.

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks