emotet

Resubmissions

17-01-2021 18:03

210117-xmztx5s53n 10

17-01-2021 16:38

210117-9yeyx8qg52 10

13-01-2021 06:02

210113-jj5vc6stas 10

Sharing

Copy URL

Twitter E-mail

General

Target

bdcd5f7db27ea098d9dbd6d561c81bbd0014a42688d4ccac2f799da3ffa17a30
Size

157KB
Sample

210117-xmztx5s53n
MD5

a707c3fc57f474a31b67d15f4b994119
SHA1

80f0a0d10d3117f599a008a318e74e931beda998
SHA256

bdcd5f7db27ea098d9dbd6d561c81bbd0014a42688d4ccac2f799da3ffa17a30
SHA512

1744766504c7c65432da9a6e7cbc81790b7b4839a3d8523f559692eb3062b3fda3d4405efde86ceed6f185dc7f568b506a5375fde42bd6b4cd58915f1fac6710

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://altrashift.com/wp-includes/I/

exe.dropper

https://ojodetigremezcal.com/wp/i62s/

exe.dropper

https://snowremoval-services.com/wp-content/P3Z/

exe.dropper

http://kitsunecomplements.com/too-much-phppq/n65U/

exe.dropper

https://imperioone.com/content/WOBq/

exe.dropper

http://www.autoeck-baden.at/wp-content/w0Vb/

exe.dropper

https://shop.animewho.com/content/Tj/

Extracted

Family

emotet

Botnet

Epoch2

71.72.196.159:80

69.49.88.46:80

157.245.123.197:8080

50.116.111.59:8080

188.165.214.98:8080

190.103.228.24:80

41.185.28.84:8080

161.0.153.60:80

84.232.252.202:443

78.188.225.105:80

95.213.236.64:8080

220.245.198.194:80

190.251.200.206:80

121.124.124.40:7080

139.99.158.11:443

176.111.60.55:8080

50.245.107.73:443

202.134.4.216:8080

119.59.116.21:8080

104.131.11.150:443

rsa_pubkey.plain

Targets

- Target
  
  bdcd5f7db27ea098d9dbd6d561c81bbd0014a42688d4ccac2f799da3ffa17a30
- Size
  
  157KB
- MD5
  
  a707c3fc57f474a31b67d15f4b994119
- SHA1
  
  80f0a0d10d3117f599a008a318e74e931beda998
- SHA256
  
  bdcd5f7db27ea098d9dbd6d561c81bbd0014a42688d4ccac2f799da3ffa17a30
- SHA512
  
  1744766504c7c65432da9a6e7cbc81790b7b4839a3d8523f559692eb3062b3fda3d4405efde86ceed6f185dc7f568b506a5375fde42bd6b4cd58915f1fac6710
Score

10^/10

emotet epoch2 banker trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Targets

Process spawned unexpected child process

Blocklisted process makes network request

Loads dropped DLL

Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2