General

  • Target

    emotet_e2_768f3c029cc79ae21d7c732487da93f0e8c7d19a83737f9ce7e107e3adc9054c_2020-12-23__182150606866._doc

  • Size

    183KB

  • Sample

    201223-ated2aanta

  • MD5

    b66d8fe119418a8a69d1276b36eb2fc0

  • SHA1

    4b921043d94136bca5d42ad98a1b7e962a5b9af1

  • SHA256

    768f3c029cc79ae21d7c732487da93f0e8c7d19a83737f9ce7e107e3adc9054c

  • SHA512

    05c0872774d550fb5450c91ddec5ee4dc9c61cad79fa9c2980b1b6e0996d315c147fcb4331a6a841bc730d05a047411f1eeda274c32edd491547e866f6cdac07

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://superiorsurfacings.com/pc-not-qgtje/j8T3S/

exe.dropper

http://tenrougroup.com/j/Hb7Wf/

exe.dropper

http://syokmelaram.com/wp-includes/e1/

exe.dropper

http://advokatemelyanov.ru/administrator/OMHpK/

exe.dropper

http://mumglobal.com/content/DF0/

exe.dropper

http://mvldesign.ca/Durani/2lZs/

exe.dropper

https://eytsoft.com/css/Q2k/

Extracted

Family

emotet

Botnet

Epoch2

C2

97.120.3.198:80

70.180.33.202:80

50.116.111.59:8080

173.249.20.233:443

188.165.214.98:8080

172.104.97.173:8080

41.185.28.84:8080

120.150.218.241:443

217.20.166.178:7080

67.10.155.92:80

188.219.31.12:80

120.150.60.189:80

108.21.72.56:443

186.74.215.34:80

144.217.7.207:7080

152.170.205.73:80

49.205.182.134:80

187.161.206.24:80

95.213.236.64:8080

74.40.205.197:443

rsa_pubkey.plain

Targets

    • Target

      emotet_e2_768f3c029cc79ae21d7c732487da93f0e8c7d19a83737f9ce7e107e3adc9054c_2020-12-23__182150606866._doc

    • Size

      183KB

    • MD5

      b66d8fe119418a8a69d1276b36eb2fc0

    • SHA1

      4b921043d94136bca5d42ad98a1b7e962a5b9af1

    • SHA256

      768f3c029cc79ae21d7c732487da93f0e8c7d19a83737f9ce7e107e3adc9054c

    • SHA512

      05c0872774d550fb5450c91ddec5ee4dc9c61cad79fa9c2980b1b6e0996d315c147fcb4331a6a841bc730d05a047411f1eeda274c32edd491547e866f6cdac07

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks