emotet_e2_7aa2b2705bbf9bb3f223259b9868c36756743492d88351984e1bda682b94a37e_2021-01-04__205304451894._doc

General
Target

emotet_e2_7aa2b2705bbf9bb3f223259b9868c36756743492d88351984e1bda682b94a37e_2021-01-04__205304451894._doc

Size

162KB

Sample

210104-ypkaw5zann

Score
10 /10
MD5

ec95ab38cfdbb3fd11cbbf6ed187d1a2

SHA1

93810fc3bb81fbf72d6b7e5411be33d2c351e549

SHA256

7aa2b2705bbf9bb3f223259b9868c36756743492d88351984e1bda682b94a37e

SHA512

111a28bd7428466a8551ff44cc9f4f889f089a725f75c25036efba42a90a66d821475b10898583e38323b9170757b45fcac10a40b4d75f1d16ab629a676e1ab3

Malware Config

Extracted

Language ps1
Deobfuscated
URLs
exe.dropper

https://admintk.com/wp-admin/L/

exe.dropper

https://mikegeerinck.com/c/YYsa/

exe.dropper

http://freelancerwebdesignerhyderabad.com/cgi-bin/S/

exe.dropper

http://etdog.com/wp-content/nu/

exe.dropper

https://www.hintup.com.br/wp-content/dE/

exe.dropper

http://www.stmarouns.nsw.edu.au/paypal/b8G/

exe.dropper

http://wm.mcdevelop.net/content/6F2gd/

Extracted

Family emotet
Botnet Epoch2
C2

90.160.138.175:80

74.222.117.42:80

157.245.123.197:8080

50.116.111.59:8080

173.249.20.233:443

200.116.145.225:443

142.112.10.95:20

87.106.139.101:8080

173.70.61.180:80

75.177.207.146:80

121.124.124.40:7080

98.109.133.80:80

37.187.72.193:8080

74.40.205.197:443

220.245.198.194:80

197.211.245.21:80

123.176.25.234:80

194.190.67.75:80

78.188.225.105:80

217.20.166.178:7080

49.205.182.134:80

79.137.83.50:443

50.91.114.38:80

62.171.142.179:8080

119.59.116.21:8080

75.109.111.18:80

24.179.13.119:80

120.150.60.189:80

24.69.65.8:8080

185.201.9.197:8080

154.0.8.2:443

118.83.154.64:443

161.0.153.60:80

61.19.246.238:443

100.37.240.62:80

66.57.108.14:443

144.217.7.207:7080

181.165.68.127:80

174.118.202.24:443

188.219.31.12:80

89.106.251.163:80

104.131.11.150:443

181.171.209.241:443

178.152.87.96:80

89.216.122.92:80

172.125.40.123:80

47.144.21.37:80

185.94.252.104:443

139.59.60.244:8080

24.231.88.85:80

rsa_pubkey.plain
Targets
Target

emotet_e2_7aa2b2705bbf9bb3f223259b9868c36756743492d88351984e1bda682b94a37e_2021-01-04__205304451894._doc

MD5

ec95ab38cfdbb3fd11cbbf6ed187d1a2

Filesize

162KB

Score
10 /10
SHA1

93810fc3bb81fbf72d6b7e5411be33d2c351e549

SHA256

7aa2b2705bbf9bb3f223259b9868c36756743492d88351984e1bda682b94a37e

SHA512

111a28bd7428466a8551ff44cc9f4f889f089a725f75c25036efba42a90a66d821475b10898583e38323b9170757b45fcac10a40b4d75f1d16ab629a676e1ab3

Tags

Signatures

  • Emotet

    Description

    Emotet is a trojan that is primarily spread through spam emails.

    Tags

  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request

  • Loads dropped DLL

  • Drops file in System32 directory

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Tasks

                      static1

                      8/10

                      behavioral1

                      10/10

                      behavioral2

                      10/10