Overview

overview

10

Static

static

8

SlurpeeDOC

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    emotet_e2_52cdb3dc05a42a52f343730843e9c398f0580cb85bb1219b4ec4b1757f6adebd_2021-01-12__033731059825._fpx

  • Size

    186KB

  • Sample

    210112-l8gtgwlwsn

  • MD5

    0b55b9f8ad6fa355095fa3262a9cf3d4

  • SHA1

    2a447df6e9d369dfe604de252a9f79c445a1e760

  • SHA256

    858159295a83a85ce85a8e18a4398873eb02dfa32012325f963ab2de57c8c0aa

  • SHA512

    9bbe41a96c443544d1d114991c9a3898a230ad9a7024f0d31f2b9a7677f0725ecb3b451f7dcc908eb20c7ea053ec8c0ff7038ec18bf57f5b64c1a9f0f91d967a

Score
10/10
emotetepoch2bankermacrotrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://pipesplumbingltd.com/DB/Yg2rsTn/
exe.dropper

http://annabphotography.co.uk/wp-includes/WdHO/
exe.dropper

http://childselect.com/cgi-bin/BSA/
exe.dropper

http://movie-2free.com/cgi-bin/F/
exe.dropper

https://sachcodoc.net/wp-admin/pOyZDC/
exe.dropper

http://aramisconstruct.ro/wp-admin/Hpbd6/
exe.dropper

https://manweikeji.com/wp-content/X/
exe.dropper

http://farmapleland.com/wp-content/F/

Extracted

Family

emotet

Botnet

Epoch2

C2

102.182.145.130:80

173.173.254.105:80

64.207.182.168:8080

51.89.199.141:8080

167.114.153.111:8080

173.63.222.65:80

218.147.193.146:80

59.125.219.109:443

172.104.97.173:8080

190.162.215.233:80

68.115.186.26:80

78.188.106.53:443

190.240.194.77:443

24.133.106.23:80

80.227.52.78:80

79.137.83.50:443

120.150.218.241:443

62.171.142.179:8080

194.4.58.192:7080

62.30.7.67:443
rsa_pubkey.plain

Targets

    • Target

      emotet_e2_52cdb3dc05a42a52f343730843e9c398f0580cb85bb1219b4ec4b1757f6adebd_2021-01-12__033731059825._fpx

    • Size

      186KB

    • MD5

      0b55b9f8ad6fa355095fa3262a9cf3d4

    • SHA1

      2a447df6e9d369dfe604de252a9f79c445a1e760

    • SHA256

      858159295a83a85ce85a8e18a4398873eb02dfa32012325f963ab2de57c8c0aa

    • SHA512

      9bbe41a96c443544d1d114991c9a3898a230ad9a7024f0d31f2b9a7677f0725ecb3b451f7dcc908eb20c7ea053ec8c0ff7038ec18bf57f5b64c1a9f0f91d967a

    Score
    10/10
    emotetepoch2bankertrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Emotet Payload

      Detects Emotet payload in memory.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks