General
-
Target
ST_Heodo_ST_2021-01-26_10-07-38-267.eml_januari254709242021.doc_analyze.doc
-
Size
173KB
-
Sample
210126-ee4hqvn8ls
-
MD5
6c1219812f01ad5506c7caae9682a1f2
-
SHA1
f5a4d4e8d0b3f235503acdbd0718e07fa4b7115c
-
SHA256
47d9041111f81b08254a97fd3a4ba892eeaa147e3405cff3b7260e333a928f75
-
SHA512
f9c1cd87134c0fe3d31bc0d0282f423822127ee345688b88b0f11650167a47746b7e1707abdf0cb51fa0125c0a071b99bb3470140bf0077e24bc39d635a73411
Malware Config
Extracted
http://www.escalierconsulting.com/wp-includes/I/
http://aecotimes.com/wp-admin/44Z/
http://rakikuma.com/cgi-bin/K/
http://de.letscompareonline.com/cgi-bin/ztEE/
http://haumaguerraevoceoalvo.com.br/wp-includes/0Hm/
http://paulomarciotrp.com/z/y/
https://njyp.com/wp-content/Nz/1/
Extracted
emotet
Epoch2
69.38.130.14:80
195.159.28.230:8080
162.241.204.233:8080
181.165.68.127:80
49.205.182.134:80
190.251.200.206:80
139.59.60.244:8080
119.59.116.21:8080
89.216.122.92:80
185.94.252.104:443
70.92.118.112:80
78.24.219.147:8080
173.70.61.180:80
87.106.139.101:8080
66.57.108.14:443
24.179.13.119:80
121.124.124.40:7080
61.19.246.238:443
200.116.145.225:443
93.146.48.84:80
Targets
-
-
Target
ST_Heodo_ST_2021-01-26_10-07-38-267.eml_januari254709242021.doc_analyze.doc
-
Size
173KB
-
MD5
6c1219812f01ad5506c7caae9682a1f2
-
SHA1
f5a4d4e8d0b3f235503acdbd0718e07fa4b7115c
-
SHA256
47d9041111f81b08254a97fd3a4ba892eeaa147e3405cff3b7260e333a928f75
-
SHA512
f9c1cd87134c0fe3d31bc0d0282f423822127ee345688b88b0f11650167a47746b7e1707abdf0cb51fa0125c0a071b99bb3470140bf0077e24bc39d635a73411
Score10/10-
Emotet
Emotet is a trojan that is primarily spread through spam emails.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Loads dropped DLL
-
Drops file in System32 directory
-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-