General

  • Target

    emotet_e1_dfd539a7d82b252f02924f5f2da0724ffe381df1456f08415266b0040d0a914b_2020-10-30__125817440243._doc

  • Size

    208KB

  • Sample

    201030-llkbvahvt2

  • MD5

    629397193e4445a719af0c3b08d03666

  • SHA1

    05e7aa8f51f1fe2d939b6efbe87d351cd2dbe73e

  • SHA256

    dfd539a7d82b252f02924f5f2da0724ffe381df1456f08415266b0040d0a914b

  • SHA512

    dcfc7f1e181a971153e778002a90dd77ff702339bb66b81ce44520d1236897677228b17e7d28f8cc132323e105cacfc76970928d23fa805fca6fe741304e7912

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://kharazmischl.com/w/okz/

exe.dropper

http://help-m2c.eccang.com/pseovck27kr/n/

exe.dropper

http://myfarasan.com/sitepage/z/

exe.dropper

http://chengmikeji.com/dertouqua/Ocm/

exe.dropper

https://enews.enkj.com/wordpress/bd/

exe.dropper

http://ecobaratocanaria.com/wp-admin/ms/

exe.dropper

https://cimsjr.com/hospital/4q/

Extracted

Family

emotet

Botnet

Epoch1

C2

190.202.229.74:80

118.69.11.81:7080

70.39.251.94:8080

87.230.25.43:8080

94.23.62.116:8080

37.187.161.206:8080

45.46.37.97:80

138.97.60.141:7080

177.144.130.105:8080

169.1.39.242:80

209.236.123.42:8080

202.134.4.210:7080

193.251.77.110:80

2.45.176.233:80

217.13.106.14:8080

189.223.16.99:80

190.101.156.139:80

77.238.212.227:80

181.58.181.9:80

37.183.81.217:80

rsa_pubkey.plain

Targets

    • Target

      emotet_e1_dfd539a7d82b252f02924f5f2da0724ffe381df1456f08415266b0040d0a914b_2020-10-30__125817440243._doc

    • Size

      208KB

    • MD5

      629397193e4445a719af0c3b08d03666

    • SHA1

      05e7aa8f51f1fe2d939b6efbe87d351cd2dbe73e

    • SHA256

      dfd539a7d82b252f02924f5f2da0724ffe381df1456f08415266b0040d0a914b

    • SHA512

      dcfc7f1e181a971153e778002a90dd77ff702339bb66b81ce44520d1236897677228b17e7d28f8cc132323e105cacfc76970928d23fa805fca6fe741304e7912

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Emotet Payload

      Detects Emotet payload in memory.

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks