Resubmissions

17-01-2021 18:03

210117-xmztx5s53n 10

17-01-2021 16:38

210117-9yeyx8qg52 10

13-01-2021 06:02

210113-jj5vc6stas 10

General

  • Target

    bdcd5f7db27ea098d9dbd6d561c81bbd0014a42688d4ccac2f799da3ffa17a30

  • Size

    157KB

  • Sample

    210117-xmztx5s53n

  • MD5

    a707c3fc57f474a31b67d15f4b994119

  • SHA1

    80f0a0d10d3117f599a008a318e74e931beda998

  • SHA256

    bdcd5f7db27ea098d9dbd6d561c81bbd0014a42688d4ccac2f799da3ffa17a30

  • SHA512

    1744766504c7c65432da9a6e7cbc81790b7b4839a3d8523f559692eb3062b3fda3d4405efde86ceed6f185dc7f568b506a5375fde42bd6b4cd58915f1fac6710

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://altrashift.com/wp-includes/I/

exe.dropper

https://ojodetigremezcal.com/wp/i62s/

exe.dropper

https://snowremoval-services.com/wp-content/P3Z/

exe.dropper

http://kitsunecomplements.com/too-much-phppq/n65U/

exe.dropper

https://imperioone.com/content/WOBq/

exe.dropper

http://www.autoeck-baden.at/wp-content/w0Vb/

exe.dropper

https://shop.animewho.com/content/Tj/

Extracted

Family

emotet

Botnet

Epoch2

C2

71.72.196.159:80

69.49.88.46:80

157.245.123.197:8080

50.116.111.59:8080

188.165.214.98:8080

190.103.228.24:80

41.185.28.84:8080

161.0.153.60:80

84.232.252.202:443

78.188.225.105:80

95.213.236.64:8080

220.245.198.194:80

190.251.200.206:80

121.124.124.40:7080

139.99.158.11:443

176.111.60.55:8080

50.245.107.73:443

202.134.4.216:8080

119.59.116.21:8080

104.131.11.150:443

rsa_pubkey.plain

Targets

    • Target

      bdcd5f7db27ea098d9dbd6d561c81bbd0014a42688d4ccac2f799da3ffa17a30

    • Size

      157KB

    • MD5

      a707c3fc57f474a31b67d15f4b994119

    • SHA1

      80f0a0d10d3117f599a008a318e74e931beda998

    • SHA256

      bdcd5f7db27ea098d9dbd6d561c81bbd0014a42688d4ccac2f799da3ffa17a30

    • SHA512

      1744766504c7c65432da9a6e7cbc81790b7b4839a3d8523f559692eb3062b3fda3d4405efde86ceed6f185dc7f568b506a5375fde42bd6b4cd58915f1fac6710

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks