emotet

General

Target

メリークリスマス.doc
Size

162KB
Sample

201222-m5r9v71np6
MD5

71d9aa9f45329b844843dc8ee84abe80
SHA1

064404ffb86f30dd0b1155ba9f61cfaf3cbb2e65
SHA256

d7c3e71d5a6e9b66ffa6d4571a53f986b3c507b32557c0db8d855cd8c7fd1607
SHA512

80410771ae1f979c6a39372ae1f3e045fdffef4e125cd1edf5a800cb13513e636c7daf03489eb796f2e483b7cb97d190239318187c954fd0b8ff7c71d1de6291

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://aktuel.marduk.kim/dooxi-fuel-hf09b/Logs/

exe.dropper

http://braam.com.br/c/oaA7YWWX/

exe.dropper

http://zebaorganics.com/wp-admin/en-US/

exe.dropper

http://friendsofchrist10.com/streamlabs-obs-rarso/SIGNUP/

exe.dropper

http://guojiazui.com/b/y0QnnWbk/

exe.dropper

http://fi.bonitastores.com/n/WUGoZ/

exe.dropper

http://iog.com.cn/css/Sys/

Extracted

Family

emotet

Botnet

Epoch3

C2

172.193.14.201:80

77.89.249.254:443

203.157.152.9:7080

157.245.145.87:443

195.159.28.244:8080

115.79.195.246:80

163.53.204.180:443

88.119.191.111:80

46.105.131.68:8080

110.37.224.243:80

117.2.139.117:443

172.104.46.84:8080

185.142.236.163:443

37.46.129.215:8080

195.201.56.70:8080

2.82.75.215:80

178.33.167.120:8080

8.4.9.137:8080

203.153.216.178:7080

139.59.12.63:8080

rsa_pubkey.plain

Targets

- Target
  
  メリークリスマス.doc
- Size
  
  162KB
- MD5
  
  71d9aa9f45329b844843dc8ee84abe80
- SHA1
  
  064404ffb86f30dd0b1155ba9f61cfaf3cbb2e65
- SHA256
  
  d7c3e71d5a6e9b66ffa6d4571a53f986b3c507b32557c0db8d855cd8c7fd1607
- SHA512
  
  80410771ae1f979c6a39372ae1f3e045fdffef4e125cd1edf5a800cb13513e636c7daf03489eb796f2e483b7cb97d190239318187c954fd0b8ff7c71d1de6291
Score

10^/10

emotet epoch3 banker trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Process spawned unexpected child process

Blocklisted process makes network request

Loads dropped DLL

Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2