メリークリスマス.doc

General
Target

メリークリスマス.doc

Size

162KB

Sample

201222-m5r9v71np6

Score
10 /10
MD5

71d9aa9f45329b844843dc8ee84abe80

SHA1

064404ffb86f30dd0b1155ba9f61cfaf3cbb2e65

SHA256

d7c3e71d5a6e9b66ffa6d4571a53f986b3c507b32557c0db8d855cd8c7fd1607

SHA512

80410771ae1f979c6a39372ae1f3e045fdffef4e125cd1edf5a800cb13513e636c7daf03489eb796f2e483b7cb97d190239318187c954fd0b8ff7c71d1de6291

Malware Config

Extracted

Language ps1
Deobfuscated
URLs
exe.dropper

http://aktuel.marduk.kim/dooxi-fuel-hf09b/Logs/

exe.dropper

http://braam.com.br/c/oaA7YWWX/

exe.dropper

http://zebaorganics.com/wp-admin/en-US/

exe.dropper

http://friendsofchrist10.com/streamlabs-obs-rarso/SIGNUP/

exe.dropper

http://guojiazui.com/b/y0QnnWbk/

exe.dropper

http://fi.bonitastores.com/n/WUGoZ/

exe.dropper

http://iog.com.cn/css/Sys/

Extracted

Family emotet
Botnet Epoch3
C2

172.193.14.201:80

77.89.249.254:443

203.157.152.9:7080

157.245.145.87:443

195.159.28.244:8080

115.79.195.246:80

163.53.204.180:443

88.119.191.111:80

46.105.131.68:8080

110.37.224.243:80

117.2.139.117:443

172.104.46.84:8080

185.142.236.163:443

37.46.129.215:8080

195.201.56.70:8080

2.82.75.215:80

178.33.167.120:8080

8.4.9.137:8080

203.153.216.178:7080

139.59.12.63:8080

190.18.184.113:80

91.83.93.103:443

116.202.10.123:8080

121.117.147.153:443

188.226.165.170:8080

139.59.61.215:443

113.203.238.130:80

175.103.38.146:80

73.55.128.120:80

223.17.215.76:80

54.38.143.245:8080

60.108.128.186:80

162.144.145.58:8080

109.99.146.210:8080

178.254.36.182:8080

37.205.9.252:7080

192.163.221.191:8080

27.78.27.110:443

5.79.70.250:8080

178.62.254.156:8080

190.85.46.52:7080

203.160.167.243:80

2.58.16.86:8080

182.73.7.59:8080

45.230.45.171:443

91.75.75.46:80

203.56.191.129:8080

50.116.78.109:8080

152.32.75.74:443

70.32.89.105:8080

rsa_pubkey.plain
Targets
Target

メリークリスマス.doc

MD5

71d9aa9f45329b844843dc8ee84abe80

Filesize

162KB

Score
10 /10
SHA1

064404ffb86f30dd0b1155ba9f61cfaf3cbb2e65

SHA256

d7c3e71d5a6e9b66ffa6d4571a53f986b3c507b32557c0db8d855cd8c7fd1607

SHA512

80410771ae1f979c6a39372ae1f3e045fdffef4e125cd1edf5a800cb13513e636c7daf03489eb796f2e483b7cb97d190239318187c954fd0b8ff7c71d1de6291

Tags

Signatures

  • Emotet

    Description

    Emotet is a trojan that is primarily spread through spam emails.

    Tags

  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request

  • Loads dropped DLL

  • Drops file in System32 directory

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Tasks

                      static1

                      8/10

                      behavioral1

                      10/10

                      behavioral2

                      10/10