Overview

overview

10

Static

static

8

SecuriteIn...12.doc

windows7_x64

10

SecuriteIn...12.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SecuriteInfo.com.VB.Trojan.Valyria.3730.16598.8612

  • Size

    140KB

  • Sample

    210126-hnswsvey1x

  • MD5

    3e920f73bd01f7f2bc523365586cb1a6

  • SHA1

    c8b23cb6c337de253f9260bfb9448842fca79634

  • SHA256

    11f1815179241d0f4acf9c2e9a9bc84ce4aa2e7c3a4f88ad6e40af2471db5d2e

  • SHA512

    ce68fa7ba60f519dff090789ab4d7a7772b5e06b4615757c400f57dc951876766f08d90c7fb8eff4f3dd9bcab1b0f43eb3186f97084292bf826229ab87fea1b9

Score
10/10
emotetepoch3bankermacroransomwaretrojanxlm

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://nightlifemumbai.club/x/0wBD3/
exe.dropper

https://shop.nowfal.dev/wp-includes/RlMObf2j0/
exe.dropper

http://e-wdesign.eu/wp-content/bn1IgDejh/
exe.dropper

http://traumfrauen-ukraine.de/bin/JyeS/
exe.dropper

https://jflmktg.wpcomstaging.com/wp-content/AK/
exe.dropper

https://linhkienmaytinh.tctedu.com/wp-snapshots/VzJM/

Extracted

Family

emotet

Botnet

Epoch3

C2

190.55.186.229:80

203.157.152.9:7080

157.245.145.87:443

132.248.38.158:80

110.172.180.180:8080

70.32.89.105:8080

161.49.84.2:80

37.46.129.215:8080

50.116.78.109:8080

115.79.195.246:80

178.62.254.156:8080

175.103.38.146:80

188.226.165.170:8080

91.93.3.85:8080

162.144.145.58:8080

117.2.139.117:443

190.85.46.52:7080

201.193.160.196:80

152.32.75.74:443

195.201.56.70:8080
rsa_pubkey.plain

Targets

    • Target

      SecuriteInfo.com.VB.Trojan.Valyria.3730.16598.8612

    • Size

      140KB

    • MD5

      3e920f73bd01f7f2bc523365586cb1a6

    • SHA1

      c8b23cb6c337de253f9260bfb9448842fca79634

    • SHA256

      11f1815179241d0f4acf9c2e9a9bc84ce4aa2e7c3a4f88ad6e40af2471db5d2e

    • SHA512

      ce68fa7ba60f519dff090789ab4d7a7772b5e06b4615757c400f57dc951876766f08d90c7fb8eff4f3dd9bcab1b0f43eb3186f97084292bf826229ab87fea1b9

    Score
    10/10
    emotetepoch3bankerransomwaretrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks