Overview

overview

10

Static

static

8

Scan-08323...79.doc

windows7_x64

10

Scan-08323...79.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Scan-08323-12504279.doc

  • Size

    169KB

  • Sample

    210106-hexqwm7cf6

  • MD5

    b61247e36d9896c12b80a819aa95bcd0

  • SHA1

    c050b55afedb58f8e9648221490abbc3a952f28f

  • SHA256

    d26a67cb2da261214980513551391653427d04054da0ed910b49eac681553c5a

  • SHA512

    556b448bf6029700ea16f53001dfb2e1a47f503b805260f86deecfd336b011752e67286949fd7e775320b32c711032332eae383466a4cab384b13e7c594d30be

Score
10/10
emotetepoch1bankermacrotrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://petafilm.com/wp-admin/4m/
exe.dropper

http://givingthanksdaily.com/qlE/VeF/
exe.dropper

http://wap.zhonglisc.com/wp-includes/QryCB/
exe.dropper

https://fnjbq.com/wp-includes/rlR/
exe.dropper

https://sakhisuhaninarijeevika.com/wp-includes/CvGUjvE/
exe.dropper

http://zieflix.teleskopstore.com/cgi-bin/Gt3S/
exe.dropper

https://somanap.com/wp-admin/P/

Extracted

Family

emotet

Botnet

Epoch1

C2

5.2.136.90:80

186.147.237.3:8080

138.197.99.250:8080

167.71.148.58:443

211.215.18.93:8080

187.162.248.237:80

1.226.84.243:8080

110.39.160.38:443

5.196.35.138:7080

59.148.253.194:8080

45.16.226.117:443

95.76.153.115:80

181.61.182.143:80

46.43.2.95:8080

188.135.15.49:80

81.215.230.173:443

45.4.32.50:80

81.214.253.80:443

94.176.234.118:443

212.71.237.140:8080
rsa_pubkey.plain

Targets

    • Target

      Scan-08323-12504279.doc

    • Size

      169KB

    • MD5

      b61247e36d9896c12b80a819aa95bcd0

    • SHA1

      c050b55afedb58f8e9648221490abbc3a952f28f

    • SHA256

      d26a67cb2da261214980513551391653427d04054da0ed910b49eac681553c5a

    • SHA512

      556b448bf6029700ea16f53001dfb2e1a47f503b805260f86deecfd336b011752e67286949fd7e775320b32c711032332eae383466a4cab384b13e7c594d30be

    Score
    10/10
    emotetepoch1bankertrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks