emotet

General

Target

emotet_e1_1f0e02ade3ec7f795972dab63c97fc6cef31a06797e37bde682eb0528968f78a_2020-11-17__172930709611._doc
Size

287KB
Sample

201117-2gr9cwjpzx
MD5

34bffae510670ff5c41ede77172eea2a
SHA1

e50bc5fa2c7d5ecea2064ad1cd0f92bd6cfc6764
SHA256

1f0e02ade3ec7f795972dab63c97fc6cef31a06797e37bde682eb0528968f78a
SHA512

ed3907652a16425ffe9ac4660d1ef69825689943022e8acaafc47b10fb87bd1b1adec0ee531454e6fbd96dee66dbde50d2d77dec0d3fdc01ddbcced6c1c0d775

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://innhanmachn.com/wp-admin/sA/

exe.dropper

http://shomalhouse.com/wp-includes/ID3/IDz/

exe.dropper

http://blog.martyrolnick.com/wp-admin/Spq/

exe.dropper

https://www.frajamomadrid.com/wp-content/g/

exe.dropper

https://pesquisacred.com/vmware-unlocker/daC/

exe.dropper

https://medhempfarm.com/wp-admin/Lb/

exe.dropper

http://ienglishabc.com/cow/2BB/

Extracted

Family

emotet

Botnet

Epoch1

C2

190.202.229.74:80

118.69.11.81:7080

70.39.251.94:8080

87.230.25.43:8080

94.23.62.116:8080

37.187.161.206:8080

45.46.37.97:80

138.97.60.141:7080

177.144.130.105:8080

169.1.39.242:80

209.236.123.42:8080

202.134.4.210:7080

193.251.77.110:80

2.45.176.233:80

217.13.106.14:8080

189.223.16.99:80

190.101.156.139:80

77.238.212.227:80

181.58.181.9:80

37.183.81.217:80

rsa_pubkey.plain

Targets

- Target
  
  emotet_e1_1f0e02ade3ec7f795972dab63c97fc6cef31a06797e37bde682eb0528968f78a_2020-11-17__172930709611._doc
- Size
  
  287KB
- MD5
  
  34bffae510670ff5c41ede77172eea2a
- SHA1
  
  e50bc5fa2c7d5ecea2064ad1cd0f92bd6cfc6764
- SHA256
  
  1f0e02ade3ec7f795972dab63c97fc6cef31a06797e37bde682eb0528968f78a
- SHA512
  
  ed3907652a16425ffe9ac4660d1ef69825689943022e8acaafc47b10fb87bd1b1adec0ee531454e6fbd96dee66dbde50d2d77dec0d3fdc01ddbcced6c1c0d775
Score

10^/10

emotet epoch1 banker trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Emotet Payload
  Detects Emotet payload in memory.
- Blacklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Process spawned unexpected child process

Emotet Payload

Blacklisted process makes network request

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2