Overview

overview

10

Static

static

8

emotet_e2_...oc.doc

windows7_x64

10

emotet_e2_...oc.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    emotet_e2_7aa2b2705bbf9bb3f223259b9868c36756743492d88351984e1bda682b94a37e_2021-01-04__205304451894._doc

  • Size

    162KB

  • Sample

    210104-ypkaw5zann

  • MD5

    ec95ab38cfdbb3fd11cbbf6ed187d1a2

  • SHA1

    93810fc3bb81fbf72d6b7e5411be33d2c351e549

  • SHA256

    7aa2b2705bbf9bb3f223259b9868c36756743492d88351984e1bda682b94a37e

  • SHA512

    111a28bd7428466a8551ff44cc9f4f889f089a725f75c25036efba42a90a66d821475b10898583e38323b9170757b45fcac10a40b4d75f1d16ab629a676e1ab3

Score
10/10
emotetepoch2bankermacrotrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://admintk.com/wp-admin/L/
exe.dropper

https://mikegeerinck.com/c/YYsa/
exe.dropper

http://freelancerwebdesignerhyderabad.com/cgi-bin/S/
exe.dropper

http://etdog.com/wp-content/nu/
exe.dropper

https://www.hintup.com.br/wp-content/dE/
exe.dropper

http://www.stmarouns.nsw.edu.au/paypal/b8G/
exe.dropper

http://wm.mcdevelop.net/content/6F2gd/

Extracted

Family

emotet

Botnet

Epoch2

C2

90.160.138.175:80

74.222.117.42:80

157.245.123.197:8080

50.116.111.59:8080

173.249.20.233:443

200.116.145.225:443

142.112.10.95:20

87.106.139.101:8080

173.70.61.180:80

75.177.207.146:80

121.124.124.40:7080

98.109.133.80:80

37.187.72.193:8080

74.40.205.197:443

220.245.198.194:80

197.211.245.21:80

123.176.25.234:80

194.190.67.75:80

78.188.225.105:80

217.20.166.178:7080
rsa_pubkey.plain

Targets

    • Target

      emotet_e2_7aa2b2705bbf9bb3f223259b9868c36756743492d88351984e1bda682b94a37e_2021-01-04__205304451894._doc

    • Size

      162KB

    • MD5

      ec95ab38cfdbb3fd11cbbf6ed187d1a2

    • SHA1

      93810fc3bb81fbf72d6b7e5411be33d2c351e549

    • SHA256

      7aa2b2705bbf9bb3f223259b9868c36756743492d88351984e1bda682b94a37e

    • SHA512

      111a28bd7428466a8551ff44cc9f4f889f089a725f75c25036efba42a90a66d821475b10898583e38323b9170757b45fcac10a40b4d75f1d16ab629a676e1ab3

    Score
    10/10
    emotetepoch2bankertrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks