Overview

overview

10

Static

static

8

d297c0a4c8...be.doc

windows7_x64

10

d297c0a4c8...be.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d297c0a4c89de58051ca734994c514d423a71d1a0fcad5c1da9a76f402bd3bbe

  • Size

    164KB

  • Sample

    210211-82k9wrhw26

  • MD5

    02b2dee96e10003270606dfd7e059d23

  • SHA1

    defe94b8ae07e6c5db6942bc7d020b615c4ba75d

  • SHA256

    d297c0a4c89de58051ca734994c514d423a71d1a0fcad5c1da9a76f402bd3bbe

  • SHA512

    4ebd0002c4c75788efdcd928d86da802c0a7d7152e96d6d900c72c656e14fbe62562aa8dff5f409ef1c158fb36c3e05a065c07093b104d3ae10e7ff0cc7c02a4

Score
10/10
emotetepoch2bankermacrotrojanxlm

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://www.achutamanasa.com/media/Te/
exe.dropper

http://opticaquilin.cl/wp-includes/FFueL/
exe.dropper

https://www.infoquick.co.uk/assets/h/
exe.dropper

http://vilajansen.com.br/loja_old_1/p/
exe.dropper

http://oftalmovilaplana.com/wp-includes/wfKu/
exe.dropper

https://cashyinvestment.org/wp-content/21dIZ/
exe.dropper

http://merkadito.mx/upload/6/

Extracted

Family

emotet

Botnet

Epoch2

C2

12.175.220.98:80

162.241.204.233:8080

50.116.111.59:8080

172.86.188.251:8080

139.99.158.11:443

66.57.108.14:443

75.177.207.146:80

194.190.67.75:80

50.245.107.73:443

173.70.61.180:80

85.105.205.77:8080

104.131.11.150:443

62.75.141.82:80

70.92.118.112:80

194.4.58.192:7080

120.150.60.189:80

24.231.88.85:80

78.24.219.147:8080

110.142.236.207:80

119.59.116.21:8080
rsa_pubkey.plain

Targets

    • Target

      d297c0a4c89de58051ca734994c514d423a71d1a0fcad5c1da9a76f402bd3bbe

    • Size

      164KB

    • MD5

      02b2dee96e10003270606dfd7e059d23

    • SHA1

      defe94b8ae07e6c5db6942bc7d020b615c4ba75d

    • SHA256

      d297c0a4c89de58051ca734994c514d423a71d1a0fcad5c1da9a76f402bd3bbe

    • SHA512

      4ebd0002c4c75788efdcd928d86da802c0a7d7152e96d6d900c72c656e14fbe62562aa8dff5f409ef1c158fb36c3e05a065c07093b104d3ae10e7ff0cc7c02a4

    Score
    10/10
    emotetepoch2bankertrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks