Overview

overview

10

Static

static

8

1d5f537353...64.doc

windows7_x64

10

1d5f537353...64.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1d5f5373532659a5361731578ae5b4a16fa9559a7f5ccde01d97f3cb992c1264

  • Size

    146KB

  • Sample

    210211-6nzcffnxsx

  • MD5

    6dc721e4640b69d1803e279948407951

  • SHA1

    a79ba944baad631a8fd81ccb135d4a5a4a437c3b

  • SHA256

    1d5f5373532659a5361731578ae5b4a16fa9559a7f5ccde01d97f3cb992c1264

  • SHA512

    0c2945658582db687b070ccb8008479c9805f26f1aa2e46457d6e415ba3820b7b85c07d19f9bf72904b000a18a3aad6c0ef680ce8c9457a93cdadb00a065266e

Score
10/10
emotetepoch3bankermacrotrojanxlm

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://gethumvee.com/improvisate/HVTtdmsZ/
exe.dropper

http://arch.nqu.edu.tw/wordpress/w7F/
exe.dropper

http://hindumedia.in/microsporous/P7m/
exe.dropper

http://pageshare.net/sales/tzV/
exe.dropper

http://bgmtechnologies.com/4131325866/sg/
exe.dropper

http://popperandshow.com/248152296/ccXqKYPqQ/

Extracted

Family

emotet

Botnet

Epoch3

C2

132.248.38.158:80

203.157.152.9:7080

157.245.145.87:443

110.37.224.243:80

70.32.89.105:8080

185.142.236.163:443

192.241.220.183:8080

91.83.93.103:443

54.38.143.245:8080

192.210.217.94:8080

37.205.9.252:7080

78.90.78.210:80

182.73.7.59:8080

163.53.204.180:443

91.75.75.46:80

172.104.46.84:8080

161.49.84.2:80

27.78.27.110:443

203.160.167.243:80

109.99.146.210:8080
rsa_pubkey.plain

Targets

    • Target

      1d5f5373532659a5361731578ae5b4a16fa9559a7f5ccde01d97f3cb992c1264

    • Size

      146KB

    • MD5

      6dc721e4640b69d1803e279948407951

    • SHA1

      a79ba944baad631a8fd81ccb135d4a5a4a437c3b

    • SHA256

      1d5f5373532659a5361731578ae5b4a16fa9559a7f5ccde01d97f3cb992c1264

    • SHA512

      0c2945658582db687b070ccb8008479c9805f26f1aa2e46457d6e415ba3820b7b85c07d19f9bf72904b000a18a3aad6c0ef680ce8c9457a93cdadb00a065266e

    Score
    10/10
    emotetepoch3bankertrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks