General

  • Target

    ptrjctad.rmz

  • Size

    342KB

  • Sample

    210204-32mp2r8qdn

  • MD5

    ea8d08d8faecc54887e4dc2be3b3b341

  • SHA1

    2811f4b31e912a40b871b96f3f7c15d3d4c0ffb9

  • SHA256

    534a598ae3170e8f39e8cc1fb1976a8bbeb418128fb23fde6420fe624eee2ec6

  • SHA512

    089dfcc735aecdbf57251eb24dce7c7df8fa23f5c2bdd15da3b61d7f77bf4626ef93c5d24873b19b939278dac1b8e4f700d80e4876e3e0164b361fcd773bab5e

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

12.175.220.98:80

162.241.204.233:8080

50.116.111.59:8080

172.86.188.251:8080

139.99.158.11:443

66.57.108.14:443

75.177.207.146:80

194.190.67.75:80

50.245.107.73:443

173.70.61.180:80

85.105.205.77:8080

104.131.11.150:443

62.75.141.82:80

70.92.118.112:80

194.4.58.192:7080

120.150.60.189:80

24.231.88.85:80

78.24.219.147:8080

110.142.236.207:80

119.59.116.21:8080

rsa_pubkey.plain

Extracted

Family

emotet

Botnet

LEA

C2

80.158.3.161:443

80.158.51.209:8080

80.158.35.51:80

80.158.63.78:443

80.158.53.167:80

80.158.62.194:443

80.158.59.174:8080

80.158.43.136:80

rsa_pubkey.plain

Targets

    • Target

      ptrjctad.rmz

    • Size

      342KB

    • MD5

      ea8d08d8faecc54887e4dc2be3b3b341

    • SHA1

      2811f4b31e912a40b871b96f3f7c15d3d4c0ffb9

    • SHA256

      534a598ae3170e8f39e8cc1fb1976a8bbeb418128fb23fde6420fe624eee2ec6

    • SHA512

      089dfcc735aecdbf57251eb24dce7c7df8fa23f5c2bdd15da3b61d7f77bf4626ef93c5d24873b19b939278dac1b8e4f700d80e4876e3e0164b361fcd773bab5e

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

MITRE ATT&CK Matrix ATT&CK v6

Discovery

System Information Discovery

1
T1082

Tasks