Overview

overview

10

Static

static

8

625fb60da1...2c.doc

windows7_x64

10

625fb60da1...2c.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    625fb60da12e4d1af4f6feb933ce621d6a2a51d59b6f24d441b633440482d32c

  • Size

    145KB

  • Sample

    210211-3v8wefsyje

  • MD5

    9291595e34c9041583fc3f39237bed69

  • SHA1

    969da17d764592dd8a037a0e50f797ed2c38445d

  • SHA256

    625fb60da12e4d1af4f6feb933ce621d6a2a51d59b6f24d441b633440482d32c

  • SHA512

    227d707be6d1ef1870f4069d54ce14fbadc48785cd21cd38f86c552e508fed0774e05366fd80faa304ac5b2f23c6924f0c68d1af9cd5b8c09522295e93c16438

Score
10/10
emotetepoch3leabankermacrotrojanxlm

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://buarf.com/vcds-throttle-w4z41/pqqn/
exe.dropper

http://vataas.com/3325390551/5W/
exe.dropper

https://blog.tqdesign.vn/banner/uW/
exe.dropper

https://www.abyssos.eu/wp-content/p/
exe.dropper

http://gieoduyen.vn/css/PxmtB/
exe.dropper

http://bambathamobileloans.co.za/cgi-bin/X/

Extracted

Family

emotet

Botnet

Epoch3

C2

132.248.38.158:80

203.157.152.9:7080

157.245.145.87:443

110.37.224.243:80

70.32.89.105:8080

185.142.236.163:443

192.241.220.183:8080

91.83.93.103:443

54.38.143.245:8080

192.210.217.94:8080

37.205.9.252:7080

78.90.78.210:80

182.73.7.59:8080

163.53.204.180:443

91.75.75.46:80

172.104.46.84:8080

161.49.84.2:80

27.78.27.110:443

203.160.167.243:80

109.99.146.210:8080
rsa_pubkey.plain

Extracted

Family

emotet

Botnet

LEA

C2

80.158.3.161:443

80.158.51.209:8080

80.158.35.51:80

80.158.63.78:443

80.158.53.167:80

80.158.62.194:443

80.158.59.174:8080

80.158.43.136:80
rsa_pubkey.plain

Targets

    • Target

      625fb60da12e4d1af4f6feb933ce621d6a2a51d59b6f24d441b633440482d32c

    • Size

      145KB

    • MD5

      9291595e34c9041583fc3f39237bed69

    • SHA1

      969da17d764592dd8a037a0e50f797ed2c38445d

    • SHA256

      625fb60da12e4d1af4f6feb933ce621d6a2a51d59b6f24d441b633440482d32c

    • SHA512

      227d707be6d1ef1870f4069d54ce14fbadc48785cd21cd38f86c552e508fed0774e05366fd80faa304ac5b2f23c6924f0c68d1af9cd5b8c09522295e93c16438

    Score
    10/10
    emotetepoch3leabankertrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks