Overview

overview

10

Static

static

8

1787-L_6307705.doc

windows7_x64

10

1787-L_6307705.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1787-L_6307705.zip

  • Size

    89KB

  • Sample

    210107-44gm4dvym6

  • MD5

    f5e7665a324bdb39df98fd0a30c4275e

  • SHA1

    640e3618f1d7efb79f79cec9f156b78ca0bd0baa

  • SHA256

    744ef7b599e0f9887776b7446c01c5c2c0a9d88bae23ce34f0a518dd31ca1974

  • SHA512

    c0979012a7c2181a7a24c49371275097248401d4621ab067ec3efe0585d8e3bb1e427af1c7406b2a8ae3547964d7a94be9b31b63ab70cb3c7b68524196f7f4d5

Score
10/10
emotetepoch1bankermacrotrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://wpsapk.com/wp-admin/v/
exe.dropper

http://sofsuite.com/wp-includes/2jm3nIk/
exe.dropper

http://veterinariadrpopui.com/content/5f18Q/
exe.dropper

http://shop.elemenslide.com/wp-content/n/
exe.dropper

http://khanhhoahomnay.net/wordpress/CGMC/
exe.dropper

http://campusexpo.org/department-of-odhmmkd/95eXZY/
exe.dropper

https://gurztac.wtchevalier.com/wp-content/YzZ6YZ/

Extracted

Family

emotet

Botnet

Epoch1

C2

5.2.136.90:80

186.147.237.3:8080

138.197.99.250:8080

167.71.148.58:443

211.215.18.93:8080

187.162.248.237:80

1.226.84.243:8080

110.39.160.38:443

5.196.35.138:7080

59.148.253.194:8080

45.16.226.117:443

95.76.153.115:80

181.61.182.143:80

46.43.2.95:8080

188.135.15.49:80

81.215.230.173:443

45.4.32.50:80

81.214.253.80:443

94.176.234.118:443

212.71.237.140:8080
rsa_pubkey.plain

Targets

    • Target

      1787-L_6307705.doc

    • Size

      165KB

    • MD5

      7e9e380b658de7fc089d13d07ab16649

    • SHA1

      1193fbd63f2a99d58f1ed0b327d452e16203c8aa

    • SHA256

      dda2cbe871dff7128fafb6351d096bbf6caab7de881355ea05022686ad4a9270

    • SHA512

      c48009e1abd1fead8ddf6369de9ec196b7412c5bc3d90fd35b9b3feec5db39c5cbce2471bc80c15f2a6d5d07eab359cc0928dc4fd80375ebdcf512c43ccc9cfc

    Score
    10/10
    emotetepoch1bankertrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks