Overview

overview

10

Static

static

8

Scan_42030.doc

windows7_x64

10

Scan_42030.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Scan_42030.doc

  • Size

    168KB

  • Sample

    210106-axf9dc8ppj

  • MD5

    a417de65806cff065672bd270a4f34cc

  • SHA1

    219af62bd0f2b9b94628f5a9135074ef4431306e

  • SHA256

    69e8fe5c7d56292e8593c035f1880f8c1271e3cc1800154d4161fb34848efdb9

  • SHA512

    d3d8dcfa9a9179f18942319d973ec01f996524637c046251d70ad6c76d4874acc75f8c23e84c1276f031f1ac3b8ae07f7f7d6a7ea0af5ef62d75944b625c66e2

Score
10/10
emotetepoch1bankermacrotrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://petafilm.com/wp-admin/4m/
exe.dropper

http://givingthanksdaily.com/qlE/VeF/
exe.dropper

http://wap.zhonglisc.com/wp-includes/QryCB/
exe.dropper

https://fnjbq.com/wp-includes/rlR/
exe.dropper

https://sakhisuhaninarijeevika.com/wp-includes/CvGUjvE/
exe.dropper

http://zieflix.teleskopstore.com/cgi-bin/Gt3S/
exe.dropper

https://somanap.com/wp-admin/P/

Extracted

Family

emotet

Botnet

Epoch1

C2

5.2.136.90:80

186.147.237.3:8080

138.197.99.250:8080

167.71.148.58:443

211.215.18.93:8080

187.162.248.237:80

1.226.84.243:8080

110.39.160.38:443

5.196.35.138:7080

59.148.253.194:8080

45.16.226.117:443

95.76.153.115:80

181.61.182.143:80

46.43.2.95:8080

188.135.15.49:80

81.215.230.173:443

45.4.32.50:80

81.214.253.80:443

94.176.234.118:443

212.71.237.140:8080
rsa_pubkey.plain

Targets

    • Target

      Scan_42030.doc

    • Size

      168KB

    • MD5

      a417de65806cff065672bd270a4f34cc

    • SHA1

      219af62bd0f2b9b94628f5a9135074ef4431306e

    • SHA256

      69e8fe5c7d56292e8593c035f1880f8c1271e3cc1800154d4161fb34848efdb9

    • SHA512

      d3d8dcfa9a9179f18942319d973ec01f996524637c046251d70ad6c76d4874acc75f8c23e84c1276f031f1ac3b8ae07f7f7d6a7ea0af5ef62d75944b625c66e2

    Score
    10/10
    emotetepoch1bankertrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks