Overview

overview

10

Static

static

8

file_DT-0492.doc

windows7_x64

10

file_DT-0492.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    file_DT-0492.zip

  • Size

    89KB

  • Sample

    210107-vfrtpg3862

  • MD5

    ee9d04313d54393b32032430eb0f0e18

  • SHA1

    d1ad21b1d9af4c60430fbb1a6fdae4221af8bf61

  • SHA256

    6210f263eac53200f6eb7ec88310b71e0abcf5620835818d5b983fcc9b7a457f

  • SHA512

    15af0e59529fe1c29619f1e14db652d22fc73d9828ac3035778401d8092d933a38cc5df68aace28c6291c30d7cf27e8cf490c8021d5237f71dd6d3521afdf7b6

Score
10/10
emotetepoch1bankermacrotrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://hangarlastik.com/cgi-bin/Ui4n/
exe.dropper

http://padreescapes.com/blog/0I/
exe.dropper

http://sarture.com/wp-includes/JD8/
exe.dropper

http://seo.udaipurkart.com/rx-5700-6hnr7/Sgms/
exe.dropper

http://phuongapple.com/messenger-sound-8kwkq/YFr7/
exe.dropper

https://brettshawmagic.com/content/Y/
exe.dropper

https://cafecentral.vincoorbisdev.com/wp-admin/VZX9BU/

Extracted

Family

emotet

Botnet

Epoch1

C2

5.2.136.90:80

186.147.237.3:8080

138.197.99.250:8080

167.71.148.58:443

211.215.18.93:8080

187.162.248.237:80

1.226.84.243:8080

110.39.160.38:443

5.196.35.138:7080

59.148.253.194:8080

45.16.226.117:443

95.76.153.115:80

181.61.182.143:80

46.43.2.95:8080

188.135.15.49:80

81.215.230.173:443

45.4.32.50:80

81.214.253.80:443

94.176.234.118:443

212.71.237.140:8080
rsa_pubkey.plain

Targets

    • Target

      file_DT-0492.doc

    • Size

      166KB

    • MD5

      b4056eae04591aeb2665ef5d07544297

    • SHA1

      b6de03650b7fba6d70cd8c1a4838e0870fe3695a

    • SHA256

      2d42d6cb06e0c3f22fa1e01eb4bf7ffbea8b4ebf808e43ec163dfa5008574740

    • SHA512

      82e81124c7a46055fd7e4ec815e4107fb66edc3a83c912975f72eb3cb250785d9a807f3abf5c5f6ac3aca1de3c42e761b9276766347f47dda3b8e79fa9a9d031

    Score
    10/10
    emotetepoch1bankertrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks