Overview

overview

10

Static

static

8

2020-29-12-13681.doc

windows7_x64

10

2020-29-12-13681.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2020-29-12-13681.doc

  • Size

    163KB

  • Sample

    210113-9z6cgm81w6

  • MD5

    ce3a84cdecd19a05c6e95f08ba48fb3c

  • SHA1

    8ea25b5a1ddb49425870a0ce4bc5db8d5beb620f

  • SHA256

    7d4bc732a0e7c802fb8e5c9e023990b2af367d053e07e0e1bcf418f1e7478bc0

  • SHA512

    c588d44c97155a907f2f52edd16160a0c10b60e5a180893b527a10e301a5cbb23e1611d7791ce48c9ce3d8480e5f853c91aecfeb3b39c4b57baffe097ad07a07

Score
10/10
emotetepoch2bankermacrotrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://206.189.146.42/wp-admin/F0xAutoConfig/XR9/
exe.dropper

http://paroissesaintabraham.com/wp-admin/H/
exe.dropper

https://lnfch.com/wp-includes/quC/
exe.dropper

https://nahlasolimandesigns.com/wp-admin/0HHK7/
exe.dropper

http://harmonimedia.com/wp-content/uploads/Zol/
exe.dropper

http://ncap.lbatechnologies.com/media/6iQ/
exe.dropper

https://lainiotisllc.com/postauth/7XhB/

Extracted

Family

emotet

Botnet

Epoch2

C2

74.58.215.226:80

24.164.79.147:8080

157.245.123.197:8080

50.116.111.59:8080

173.249.20.233:443

78.188.225.105:80

75.177.207.146:80

136.244.110.184:8080

194.190.67.75:80

70.92.118.112:80

110.145.101.66:443

194.4.58.192:7080

217.20.166.178:7080

109.74.5.95:8080

110.145.11.73:80

66.57.108.14:443

78.189.148.42:80

144.217.7.207:7080

120.150.60.189:80

37.139.21.175:8080
rsa_pubkey.plain

Targets

    • Target

      2020-29-12-13681.doc

    • Size

      163KB

    • MD5

      ce3a84cdecd19a05c6e95f08ba48fb3c

    • SHA1

      8ea25b5a1ddb49425870a0ce4bc5db8d5beb620f

    • SHA256

      7d4bc732a0e7c802fb8e5c9e023990b2af367d053e07e0e1bcf418f1e7478bc0

    • SHA512

      c588d44c97155a907f2f52edd16160a0c10b60e5a180893b527a10e301a5cbb23e1611d7791ce48c9ce3d8480e5f853c91aecfeb3b39c4b57baffe097ad07a07

    Score
    10/10
    emotetepoch2bankertrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks