Overview

overview

10

Static

static

8

Bestand.doc

windows7_x64

10

Bestand.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Bestand.doc

  • Size

    166KB

  • Sample

    210107-xhww16kk7s

  • MD5

    64553aae596a4b3177964c3bac7502eb

  • SHA1

    9cdaf9d3f8dc72d15055fb5ca20fc0dd79b438ff

  • SHA256

    05ec62e5c17cce0faee1f6e791180a7104de6a277f0a3981a65ad43286b5854f

  • SHA512

    2632df66c05351acc150776c8841adc20ab56105297e233b29982b4320f2ab9627bdc25bd6177c2d8fa9773da195d9fa5211779c5dfcea575cba96d813fbb8bd

Score
10/10
emotetepoch1bankermacrotrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://hangarlastik.com/cgi-bin/Ui4n/
exe.dropper

http://padreescapes.com/blog/0I/
exe.dropper

http://sarture.com/wp-includes/JD8/
exe.dropper

http://seo.udaipurkart.com/rx-5700-6hnr7/Sgms/
exe.dropper

http://phuongapple.com/messenger-sound-8kwkq/YFr7/
exe.dropper

https://brettshawmagic.com/content/Y/
exe.dropper

https://cafecentral.vincoorbisdev.com/wp-admin/VZX9BU/

Extracted

Family

emotet

Botnet

Epoch1

C2

5.2.136.90:80

186.147.237.3:8080

138.197.99.250:8080

167.71.148.58:443

211.215.18.93:8080

187.162.248.237:80

1.226.84.243:8080

110.39.160.38:443

5.196.35.138:7080

59.148.253.194:8080

45.16.226.117:443

95.76.153.115:80

181.61.182.143:80

46.43.2.95:8080

188.135.15.49:80

81.215.230.173:443

45.4.32.50:80

81.214.253.80:443

94.176.234.118:443

212.71.237.140:8080
rsa_pubkey.plain

Targets

    • Target

      Bestand.doc

    • Size

      166KB

    • MD5

      64553aae596a4b3177964c3bac7502eb

    • SHA1

      9cdaf9d3f8dc72d15055fb5ca20fc0dd79b438ff

    • SHA256

      05ec62e5c17cce0faee1f6e791180a7104de6a277f0a3981a65ad43286b5854f

    • SHA512

      2632df66c05351acc150776c8841adc20ab56105297e233b29982b4320f2ab9627bdc25bd6177c2d8fa9773da195d9fa5211779c5dfcea575cba96d813fbb8bd

    Score
    10/10
    emotetepoch1bankertrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks