メリークリスマス.doc

Target

メリークリスマス.doc

Size

162KB

Sample

201222-m5r9v71np6

Score

10 ^/10

MD5

71d9aa9f45329b844843dc8ee84abe80

SHA1

064404ffb86f30dd0b1155ba9f61cfaf3cbb2e65

SHA256

d7c3e71d5a6e9b66ffa6d4571a53f986b3c507b32557c0db8d855cd8c7fd1607

SHA512

80410771ae1f979c6a39372ae1f3e045fdffef4e125cd1edf5a800cb13513e636c7daf03489eb796f2e483b7cb97d190239318187c954fd0b8ff7c71d1de6291

Extracted

Language	ps1
Deobfuscated
URLs	http://aktuel.marduk.kim/dooxi-fuel-hf09b/Logs/ http://braam.com.br/c/oaA7YWWX/ http://zebaorganics.com/wp-admin/en-US/ http://friendsofchrist10.com/streamlabs-obs-rarso/SIGNUP/ http://guojiazui.com/b/y0QnnWbk/ http://fi.bonitastores.com/n/WUGoZ/ http://iog.com.cn/css/Sys/ exe.dropper http://aktuel.marduk.kim/dooxi-fuel-hf09b/Logs/ exe.dropper http://braam.com.br/c/oaA7YWWX/ exe.dropper http://zebaorganics.com/wp-admin/en-US/ exe.dropper http://friendsofchrist10.com/streamlabs-obs-rarso/SIGNUP/ exe.dropper http://guojiazui.com/b/y0QnnWbk/ exe.dropper http://fi.bonitastores.com/n/WUGoZ/ exe.dropper http://iog.com.cn/css/Sys/

Extracted

Family	emotet
Botnet	Epoch3
C2	172.193.14.201:80 77.89.249.254:443 203.157.152.9:7080 157.245.145.87:443 195.159.28.244:8080 115.79.195.246:80 163.53.204.180:443 88.119.191.111:80 46.105.131.68:8080 110.37.224.243:80 117.2.139.117:443 172.104.46.84:8080 185.142.236.163:443 37.46.129.215:8080 195.201.56.70:8080 2.82.75.215:80 178.33.167.120:8080 8.4.9.137:8080 203.153.216.178:7080 139.59.12.63:8080 190.18.184.113:80 91.83.93.103:443 116.202.10.123:8080 121.117.147.153:443 188.226.165.170:8080 139.59.61.215:443 113.203.238.130:80 175.103.38.146:80 73.55.128.120:80 223.17.215.76:80 54.38.143.245:8080 60.108.128.186:80 162.144.145.58:8080 109.99.146.210:8080 178.254.36.182:8080 37.205.9.252:7080 192.163.221.191:8080 27.78.27.110:443 5.79.70.250:8080 178.62.254.156:8080 190.85.46.52:7080 203.160.167.243:80 2.58.16.86:8080 182.73.7.59:8080 45.230.45.171:443 91.75.75.46:80 203.56.191.129:8080 50.116.78.109:8080 152.32.75.74:443 70.32.89.105:8080 103.229.72.197:8080 82.78.179.117:443 177.254.134.180:80 74.208.173.91:8080 172.96.190.154:8080 46.32.229.152:8080 186.146.229.172:80 157.7.164.178:8081 103.229.73.17:8080 103.93.220.182:80 120.51.34.254:80 139.5.101.203:80 69.159.11.38:443 79.133.6.236:8080 188.166.220.180:7080 183.91.3.63:80 180.148.4.130:8080 192.241.220.183:8080 115.79.59.157:80 198.20.228.9:8080 24.245.65.66:80 58.27.215.3:8080 192.210.217.94:8080 202.29.237.113:8080 103.80.51.61:8080 177.130.51.198:80 190.194.12.132:80 179.5.118.12:80 78.90.78.210:80 143.95.101.72:8080 185.208.226.142:8080 75.127.14.170:8080 172.193.14.201:80 77.89.249.254:443 203.157.152.9:7080 157.245.145.87:443 195.159.28.244:8080 115.79.195.246:80 163.53.204.180:443 88.119.191.111:80 46.105.131.68:8080 110.37.224.243:80 117.2.139.117:443 172.104.46.84:8080 185.142.236.163:443 37.46.129.215:8080 195.201.56.70:8080 2.82.75.215:80 178.33.167.120:8080 8.4.9.137:8080 203.153.216.178:7080 139.59.12.63:8080 190.18.184.113:80 91.83.93.103:443 116.202.10.123:8080 121.117.147.153:443 188.226.165.170:8080 139.59.61.215:443 113.203.238.130:80 175.103.38.146:80 73.55.128.120:80 223.17.215.76:80 54.38.143.245:8080 60.108.128.186:80 162.144.145.58:8080 109.99.146.210:8080 178.254.36.182:8080 37.205.9.252:7080 192.163.221.191:8080 27.78.27.110:443 5.79.70.250:8080 178.62.254.156:8080 190.85.46.52:7080 203.160.167.243:80 2.58.16.86:8080 182.73.7.59:8080 45.230.45.171:443 91.75.75.46:80 203.56.191.129:8080 50.116.78.109:8080 152.32.75.74:443 70.32.89.105:8080 103.229.72.197:8080 82.78.179.117:443 177.254.134.180:80 74.208.173.91:8080 172.96.190.154:8080 46.32.229.152:8080 186.146.229.172:80 157.7.164.178:8081 103.229.73.17:8080 103.93.220.182:80 120.51.34.254:80 139.5.101.203:80 69.159.11.38:443 79.133.6.236:8080 188.166.220.180:7080 183.91.3.63:80 180.148.4.130:8080 192.241.220.183:8080 115.79.59.157:80 198.20.228.9:8080 24.245.65.66:80 58.27.215.3:8080 192.210.217.94:8080 202.29.237.113:8080 103.80.51.61:8080 177.130.51.198:80 190.194.12.132:80 179.5.118.12:80 78.90.78.210:80 143.95.101.72:8080 185.208.226.142:8080 75.127.14.170:8080
rsa_pubkey.plain

Target

メリークリスマス.doc

MD5

71d9aa9f45329b844843dc8ee84abe80

Filesize

162KB

Score

10 ^/10

SHA1

064404ffb86f30dd0b1155ba9f61cfaf3cbb2e65

SHA256

d7c3e71d5a6e9b66ffa6d4571a53f986b3c507b32557c0db8d855cd8c7fd1607

SHA512

80410771ae1f979c6a39372ae1f3e045fdffef4e125cd1edf5a800cb13513e636c7daf03489eb796f2e483b7cb97d190239318187c954fd0b8ff7c71d1de6291

Signatures

Emotet

Description

Emotet is a trojan that is primarily spread through spam emails.

Tags

trojan banker emotet
Process spawned unexpected child process

Description

This typically indicates the parent process was compromised via an exploit or macro.
Blocklisted process makes network request
Loads dropped DLL
Drops file in System32 directory

Related Tasks

behavioral1 behavioral2

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

static1

macro

8^/10

behavioral1

emotet epoch3 banker trojan

10^/10

behavioral2

emotet epoch3 banker trojan

10^/10

Extracted

Extracted

Tags

Signatures

Emotet

Description

Tags

Process spawned unexpected child process

Description

Blocklisted process makes network request

Loads dropped DLL

Drops file in System32 directory

Related Tasks

static1

behavioral1

behavioral2