emotet

General

Target

emotet_e2_fa59cf4c1af3d49c804914946132b59157e3d2f1eaf2d2d11a2ac0d5f2f3f2a9_2020-10-30__035315161430._doc
Size

241KB
Sample

201030-yv4kv5hb7e
MD5

10a666323e571710ab24832f3a81eebe
SHA1

fb284f855928761abde54c850292425cf1872f77
SHA256

fa59cf4c1af3d49c804914946132b59157e3d2f1eaf2d2d11a2ac0d5f2f3f2a9
SHA512

77be1355f171be0aa1b1d07e924053c265aa302fb12d9b46e102491fd71c6d318575c72f86d4e05fcdc6436be275361cc8f18a6b1cf7500d2afb7620ef0e6f74

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://foryoulady.com/wp-admin/H3Tu5s/

exe.dropper

https://www.flem-cartoons.fr/wp-includes/Gogzje/

exe.dropper

https://blog.19850120.xyz/wp-admin/VOfoZiU/

exe.dropper

http://capellaevents.com/val-images/mD2zBip/

exe.dropper

https://amirthafoundation.com/wp-admin/0KetV/

exe.dropper

https://busyafnutrition.com.au/wp-admin/A83yfME/

exe.dropper

http://sploong.net/cgi-bin/JsbuL5/

exe.dropper

https://sygnalizujemy.pl/wp-admin/yj/

Extracted

Family

emotet

Botnet

Epoch2

C2

102.182.145.130:80

173.173.254.105:80

64.207.182.168:8080

51.89.199.141:8080

167.114.153.111:8080

173.63.222.65:80

218.147.193.146:80

59.125.219.109:443

172.104.97.173:8080

190.162.215.233:80

68.115.186.26:80

78.188.106.53:443

190.240.194.77:443

24.133.106.23:80

80.227.52.78:80

79.137.83.50:443

120.150.218.241:443

62.171.142.179:8080

194.4.58.192:7080

62.30.7.67:443

rsa_pubkey.plain

Targets

- Target
  
  emotet_e2_fa59cf4c1af3d49c804914946132b59157e3d2f1eaf2d2d11a2ac0d5f2f3f2a9_2020-10-30__035315161430._doc
- Size
  
  241KB
- MD5
  
  10a666323e571710ab24832f3a81eebe
- SHA1
  
  fb284f855928761abde54c850292425cf1872f77
- SHA256
  
  fa59cf4c1af3d49c804914946132b59157e3d2f1eaf2d2d11a2ac0d5f2f3f2a9
- SHA512
  
  77be1355f171be0aa1b1d07e924053c265aa302fb12d9b46e102491fd71c6d318575c72f86d4e05fcdc6436be275361cc8f18a6b1cf7500d2afb7620ef0e6f74
Score

10^/10

emotet epoch2 banker discovery trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Emotet Payload
  Detects Emotet payload in memory.
- Blacklisted process makes network request
- Executes dropped EXE
- Modifies file permissions
  discovery
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Process spawned unexpected child process

Emotet Payload

Blacklisted process makes network request

Executes dropped EXE

Modifies file permissions

Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2