Overview

overview

10

Static

static

8

januari-05...21.doc

windows7_x64

10

januari-05...21.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    januari-05-041480-2021.doc

  • Size

    170KB

  • Sample

    210113-3bajzgqcv2

  • MD5

    c9b64586c8b3df4596dd1ef21cd2a436

  • SHA1

    a0c4ee3f775fd7120cc67f185f5776db5e1826fe

  • SHA256

    616f225c95d629abcbed5b0326f80549cd8519f657ab6086a9fa79f009d02f9a

  • SHA512

    ad4cf4be919fdd07b13330bde557b76bf82b002a8e0bb66eb574c99acfe588057f4be05347655007eedf7ccc9a0779742cd1188de3c798564389a1acbc74e4f8

Score
10/10
emotetepoch2bankermacrotrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://fathekarim.com/images/jiC/
exe.dropper

https://trumpcommunity.com/usa-no-uykjh/wcS/
exe.dropper

https://comunicacaovertical.com.br/agencia/D0sJl/
exe.dropper

http://datawyse.net/5VGI0/
exe.dropper

http://transfersuvan.com/wp-admin/1114R/
exe.dropper

http://upafrique.com/cgi-bin/iFmg/
exe.dropper

https://radioclype.scola.ac-paris.fr/wp-admin/js/widgets/6S/

Extracted

Family

emotet

Botnet

Epoch2

C2

90.160.138.175:80

74.222.117.42:80

157.245.123.197:8080

50.116.111.59:8080

173.249.20.233:443

200.116.145.225:443

142.112.10.95:20

87.106.139.101:8080

173.70.61.180:80

75.177.207.146:80

121.124.124.40:7080

98.109.133.80:80

37.187.72.193:8080

74.40.205.197:443

220.245.198.194:80

197.211.245.21:80

123.176.25.234:80

194.190.67.75:80

78.188.225.105:80

217.20.166.178:7080
rsa_pubkey.plain

Targets

    • Target

      januari-05-041480-2021.doc

    • Size

      170KB

    • MD5

      c9b64586c8b3df4596dd1ef21cd2a436

    • SHA1

      a0c4ee3f775fd7120cc67f185f5776db5e1826fe

    • SHA256

      616f225c95d629abcbed5b0326f80549cd8519f657ab6086a9fa79f009d02f9a

    • SHA512

      ad4cf4be919fdd07b13330bde557b76bf82b002a8e0bb66eb574c99acfe588057f4be05347655007eedf7ccc9a0779742cd1188de3c798564389a1acbc74e4f8

    Score
    10/10
    emotetepoch2bankertrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks