Overview

overview

10

Static

static

8

rep_377402...87.doc

windows7_x64

1

rep_377402...87.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    rep_37740235757282600901387.doc.zip

  • Size

    85KB

  • Sample

    201123-qfvm9jj28n

  • MD5

    36b265aea54c9ba18c696b085ea88dfb

  • SHA1

    ba6aa2e77abafb31fc3b48f4a3d7d8d618f7aa14

  • SHA256

    a34d385ac828fa38251b3c56b9dd58dd261e8ea7b9d8b8a0b6d02ab7403448dd

  • SHA512

    5842cec2e2c86cc9af291a45a96ffb8e92789a89bd8b3bf7cee7e2d51bf68e3ad8a821e2877d6c752c71f33355f1f9e4d5587bccc9882e212f2ed59e6b8f342f

Score
10/10
emotetepoch2bankermacrotrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://da-industrial.com/js/9IdLP/
exe.dropper

http://daprofesional.com/data4/hWgWjTV/
exe.dropper

https://dagranitegiare.com/wp-admin/tV/
exe.dropper

http://www.outspokenvisions.com/wp-includes/aWoM/
exe.dropper

http://mobsouk.com/wp-includes/UY30R/
exe.dropper

http://biglaughs.org/smallpotatoes/Y/
exe.dropper

https://ngllogistics.africa/adminer/W3mkB/

Extracted

Family

emotet

Botnet

Epoch2

C2

102.182.145.130:80

173.173.254.105:80

64.207.182.168:8080

51.89.199.141:8080

167.114.153.111:8080

173.63.222.65:80

218.147.193.146:80

59.125.219.109:443

172.104.97.173:8080

190.162.215.233:80

68.115.186.26:80

78.188.106.53:443

190.240.194.77:443

24.133.106.23:80

80.227.52.78:80

79.137.83.50:443

120.150.218.241:443

62.171.142.179:8080

194.4.58.192:7080

62.30.7.67:443
rsa_pubkey.plain

Targets

    • Target

      rep_37740235757282600901387.doc

    • Size

      175KB

    • MD5

      5c879823a2a6ee415f4c773d55a0d680

    • SHA1

      280168469b69cb8b0d8cba43378d72fa9b33a146

    • SHA256

      fd63dec89395fb5024155fdfa24256fc31add9f974f2870e11fef458790d425f

    • SHA512

      0e57ad0252433edcdbe98154b0e0c827d15f6147d9d623371d03072b89fdec74dc14d7b8292ce4de04cb8bd0b32f982c68c49815551ea7fbc0253b7b62b4e822

    Score
    10/10
    emotetepoch2bankertrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Emotet Payload

      Detects Emotet payload in memory.

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks