Overview

overview

10

Static

static

8

メリーã...‚¹.doc

windows7_x64

10

メリーã...‚¹.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    メリークリスマス.doc

  • Size

    162KB

  • Sample

    201222-m5r9v71np6

  • MD5

    71d9aa9f45329b844843dc8ee84abe80

  • SHA1

    064404ffb86f30dd0b1155ba9f61cfaf3cbb2e65

  • SHA256

    d7c3e71d5a6e9b66ffa6d4571a53f986b3c507b32557c0db8d855cd8c7fd1607

  • SHA512

    80410771ae1f979c6a39372ae1f3e045fdffef4e125cd1edf5a800cb13513e636c7daf03489eb796f2e483b7cb97d190239318187c954fd0b8ff7c71d1de6291

Score
10/10
emotetepoch3bankermacrotrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://aktuel.marduk.kim/dooxi-fuel-hf09b/Logs/
exe.dropper

http://braam.com.br/c/oaA7YWWX/
exe.dropper

http://zebaorganics.com/wp-admin/en-US/
exe.dropper

http://friendsofchrist10.com/streamlabs-obs-rarso/SIGNUP/
exe.dropper

http://guojiazui.com/b/y0QnnWbk/
exe.dropper

http://fi.bonitastores.com/n/WUGoZ/
exe.dropper

http://iog.com.cn/css/Sys/

Extracted

Family

emotet

Botnet

Epoch3

C2

172.193.14.201:80

77.89.249.254:443

203.157.152.9:7080

157.245.145.87:443

195.159.28.244:8080

115.79.195.246:80

163.53.204.180:443

88.119.191.111:80

46.105.131.68:8080

110.37.224.243:80

117.2.139.117:443

172.104.46.84:8080

185.142.236.163:443

37.46.129.215:8080

195.201.56.70:8080

2.82.75.215:80

178.33.167.120:8080

8.4.9.137:8080

203.153.216.178:7080

139.59.12.63:8080
rsa_pubkey.plain

Targets

    • Target

      メリークリスマス.doc

    • Size

      162KB

    • MD5

      71d9aa9f45329b844843dc8ee84abe80

    • SHA1

      064404ffb86f30dd0b1155ba9f61cfaf3cbb2e65

    • SHA256

      d7c3e71d5a6e9b66ffa6d4571a53f986b3c507b32557c0db8d855cd8c7fd1607

    • SHA512

      80410771ae1f979c6a39372ae1f3e045fdffef4e125cd1edf5a800cb13513e636c7daf03489eb796f2e483b7cb97d190239318187c954fd0b8ff7c71d1de6291

    Score
    10/10
    emotetepoch3bankertrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks