General
-
Target
januari-05-041480-2021.doc
-
Size
170KB
-
Sample
210113-3bajzgqcv2
-
MD5
c9b64586c8b3df4596dd1ef21cd2a436
-
SHA1
a0c4ee3f775fd7120cc67f185f5776db5e1826fe
-
SHA256
616f225c95d629abcbed5b0326f80549cd8519f657ab6086a9fa79f009d02f9a
-
SHA512
ad4cf4be919fdd07b13330bde557b76bf82b002a8e0bb66eb574c99acfe588057f4be05347655007eedf7ccc9a0779742cd1188de3c798564389a1acbc74e4f8
Static task
static1
Behavioral task
behavioral1
Sample
januari-05-041480-2021.doc
Resource
win7v20201028
Malware Config
Extracted
https://fathekarim.com/images/jiC/
https://trumpcommunity.com/usa-no-uykjh/wcS/
https://comunicacaovertical.com.br/agencia/D0sJl/
http://datawyse.net/5VGI0/
http://transfersuvan.com/wp-admin/1114R/
http://upafrique.com/cgi-bin/iFmg/
https://radioclype.scola.ac-paris.fr/wp-admin/js/widgets/6S/
Extracted
emotet
Epoch2
90.160.138.175:80
74.222.117.42:80
157.245.123.197:8080
50.116.111.59:8080
173.249.20.233:443
200.116.145.225:443
142.112.10.95:20
87.106.139.101:8080
173.70.61.180:80
75.177.207.146:80
121.124.124.40:7080
98.109.133.80:80
37.187.72.193:8080
74.40.205.197:443
220.245.198.194:80
197.211.245.21:80
123.176.25.234:80
194.190.67.75:80
78.188.225.105:80
217.20.166.178:7080
49.205.182.134:80
79.137.83.50:443
50.91.114.38:80
62.171.142.179:8080
119.59.116.21:8080
75.109.111.18:80
24.179.13.119:80
120.150.60.189:80
24.69.65.8:8080
185.201.9.197:8080
154.0.8.2:443
118.83.154.64:443
161.0.153.60:80
61.19.246.238:443
100.37.240.62:80
66.57.108.14:443
144.217.7.207:7080
181.165.68.127:80
174.118.202.24:443
188.219.31.12:80
89.106.251.163:80
104.131.11.150:443
181.171.209.241:443
178.152.87.96:80
89.216.122.92:80
172.125.40.123:80
47.144.21.37:80
185.94.252.104:443
139.59.60.244:8080
24.231.88.85:80
190.240.194.77:443
190.29.166.0:80
194.4.58.192:7080
138.68.87.218:443
187.161.206.24:80
78.189.148.42:80
74.128.121.17:80
75.188.107.174:80
202.141.243.254:443
59.21.235.119:80
62.30.7.67:443
5.2.212.254:80
134.209.144.106:443
110.145.11.73:80
139.162.60.124:8080
95.213.236.64:8080
51.89.36.180:443
41.185.28.84:8080
168.235.67.138:7080
203.153.216.189:7080
93.146.48.84:80
94.23.237.171:443
74.208.45.104:8080
5.39.91.110:7080
172.105.13.66:443
109.74.5.95:8080
115.94.207.99:443
78.24.219.147:8080
70.92.118.112:80
37.139.21.175:8080
24.178.90.49:80
62.75.141.82:80
188.165.214.98:8080
84.232.252.202:443
74.58.215.226:80
109.116.245.80:80
64.207.182.168:8080
110.145.101.66:443
136.244.110.184:8080
202.134.4.216:8080
2.58.16.89:8080
95.9.5.93:80
172.104.97.173:8080
172.86.188.251:8080
167.114.153.111:8080
176.111.60.55:8080
202.134.4.211:8080
67.170.250.203:443
46.105.131.79:8080
70.183.211.3:80
139.99.158.11:443
24.164.79.147:8080
85.105.111.166:80
157.245.99.39:8080
201.241.127.190:80
97.120.3.198:80
50.245.107.73:443
Targets
-
-
Target
januari-05-041480-2021.doc
-
Size
170KB
-
MD5
c9b64586c8b3df4596dd1ef21cd2a436
-
SHA1
a0c4ee3f775fd7120cc67f185f5776db5e1826fe
-
SHA256
616f225c95d629abcbed5b0326f80549cd8519f657ab6086a9fa79f009d02f9a
-
SHA512
ad4cf4be919fdd07b13330bde557b76bf82b002a8e0bb66eb574c99acfe588057f4be05347655007eedf7ccc9a0779742cd1188de3c798564389a1acbc74e4f8
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Loads dropped DLL
-
Drops file in System32 directory
-