emotet

General

Target

emotet_e2_7aa2b2705bbf9bb3f223259b9868c36756743492d88351984e1bda682b94a37e_2021-01-04__205304451894._doc
Size

162KB
Sample

210104-ypkaw5zann
MD5

ec95ab38cfdbb3fd11cbbf6ed187d1a2
SHA1

93810fc3bb81fbf72d6b7e5411be33d2c351e549
SHA256

7aa2b2705bbf9bb3f223259b9868c36756743492d88351984e1bda682b94a37e
SHA512

111a28bd7428466a8551ff44cc9f4f889f089a725f75c25036efba42a90a66d821475b10898583e38323b9170757b45fcac10a40b4d75f1d16ab629a676e1ab3

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://admintk.com/wp-admin/L/

exe.dropper

https://mikegeerinck.com/c/YYsa/

exe.dropper

http://freelancerwebdesignerhyderabad.com/cgi-bin/S/

exe.dropper

http://etdog.com/wp-content/nu/

exe.dropper

https://www.hintup.com.br/wp-content/dE/

exe.dropper

http://www.stmarouns.nsw.edu.au/paypal/b8G/

exe.dropper

http://wm.mcdevelop.net/content/6F2gd/

Extracted

Family

emotet

Botnet

Epoch2

C2

90.160.138.175:80

74.222.117.42:80

157.245.123.197:8080

50.116.111.59:8080

173.249.20.233:443

200.116.145.225:443

142.112.10.95:20

87.106.139.101:8080

173.70.61.180:80

75.177.207.146:80

121.124.124.40:7080

98.109.133.80:80

37.187.72.193:8080

74.40.205.197:443

220.245.198.194:80

197.211.245.21:80

123.176.25.234:80

194.190.67.75:80

78.188.225.105:80

217.20.166.178:7080

rsa_pubkey.plain

Targets

- Target
  
  emotet_e2_7aa2b2705bbf9bb3f223259b9868c36756743492d88351984e1bda682b94a37e_2021-01-04__205304451894._doc
- Size
  
  162KB
- MD5
  
  ec95ab38cfdbb3fd11cbbf6ed187d1a2
- SHA1
  
  93810fc3bb81fbf72d6b7e5411be33d2c351e549
- SHA256
  
  7aa2b2705bbf9bb3f223259b9868c36756743492d88351984e1bda682b94a37e
- SHA512
  
  111a28bd7428466a8551ff44cc9f4f889f089a725f75c25036efba42a90a66d821475b10898583e38323b9170757b45fcac10a40b4d75f1d16ab629a676e1ab3
Score

10^/10

emotet epoch2 banker trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Process spawned unexpected child process

Blocklisted process makes network request

Loads dropped DLL

Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2