General

  • Target

    9092846dece6e79c44ca875d45bac88bdd2f251cacc31279566e30387bff2371

  • Size

    86KB

  • Sample

    210209-fx5hfvzesa

  • MD5

    4f7a2a0275ef5b51a4247e4b72fd2097

  • SHA1

    139b01f5e527380fee9263733d2df5104cb5d88f

  • SHA256

    3c7b87578c2faf4b45963c8043ae5d724e05f95403864615ea6efacc9c5830aa

  • SHA512

    f37be26c8783df0b2f89787b4f7dbdc70f11417ea96b45670b95b339770fb57525305310b81df0ec2d1d82185835225753a33d4844c68b555aedbc9c990caf4f

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://office.horussolution.com/files/Help/

exe.dropper

http://18.179.187.145/licenses/Sys/

exe.dropper

https://malaysianscoop.com/img/MSInfo/

exe.dropper

https://luoyb.com/wp-includes/rUhBVqXWAV/

exe.dropper

http://uk-bet.com/wp-content/Media/

exe.dropper

http://somatone.atakdev.com/plesk-stat/Stationery/

Extracted

Family

emotet

Botnet

Epoch3

C2

113.161.176.235:80

88.247.30.64:80

89.163.210.141:8080

139.162.10.249:8080

203.157.152.9:7080

109.99.146.210:8080

78.90.78.210:80

172.193.14.201:80

157.7.164.178:8081

189.211.214.19:443

157.245.145.87:443

180.148.4.130:8080

46.32.229.152:8080

24.245.65.66:80

82.78.179.117:443

177.130.51.198:80

121.117.147.153:443

203.160.167.243:80

172.104.46.84:8080

202.29.237.113:8080

rsa_pubkey.plain

Extracted

Family

emotet

Botnet

LEA

C2

80.158.3.161:443

80.158.51.209:8080

80.158.35.51:80

80.158.63.78:443

80.158.53.167:80

80.158.62.194:443

80.158.59.174:8080

80.158.43.136:80

rsa_pubkey.plain

Targets

    • Target

      9092846dece6e79c44ca875d45bac88bdd2f251cacc31279566e30387bff2371

    • Size

      159KB

    • MD5

      c8857c120f2a6609fb03f3a94f79df2d

    • SHA1

      0f01c1feab662983a38f0d1395f2704b9c2eea86

    • SHA256

      9092846dece6e79c44ca875d45bac88bdd2f251cacc31279566e30387bff2371

    • SHA512

      cecba70eba96802f7c6c8eaf60f0a0549a58f9d45418579c02d42d76e46e4f24c9b9fba6cf4cddb24ce0fd17e7231500319a7a40ae6ea6e67d1b6bff846e17a4

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Tasks