General
-
Target
71c5f0d22ba9ab90c93b9bb326917e035e75f5d6cbb5dca61cb601defe5c7534
-
Size
148KB
-
Sample
210211-bj8zqld4p2
-
MD5
dbe690e7e604f442e10f2d570ed3e78b
-
SHA1
e0e36d104478677270283fc0e4288cd3c4e0ea9b
-
SHA256
71c5f0d22ba9ab90c93b9bb326917e035e75f5d6cbb5dca61cb601defe5c7534
-
SHA512
a45e15950e2e957c38407d1b4bc1946f679a11f7fe9a1fb5e2f99310d0bf27e0e1a87fdbe1ec09102f787187c63174f27b3956e72aed413659e039f9b25d2cfe
Behavioral task
behavioral1
Sample
71c5f0d22ba9ab90c93b9bb326917e035e75f5d6cbb5dca61cb601defe5c7534.doc
Resource
win7v20201028
Malware Config
Extracted
http://gethumvee.com/improvisate/HVTtdmsZ/
http://arch.nqu.edu.tw/wordpress/w7F/
http://hindumedia.in/microsporous/P7m/
http://pageshare.net/sales/tzV/
http://bgmtechnologies.com/4131325866/sg/
http://popperandshow.com/248152296/ccXqKYPqQ/
Extracted
emotet
Epoch3
132.248.38.158:80
203.157.152.9:7080
157.245.145.87:443
110.37.224.243:80
70.32.89.105:8080
185.142.236.163:443
192.241.220.183:8080
91.83.93.103:443
54.38.143.245:8080
192.210.217.94:8080
37.205.9.252:7080
78.90.78.210:80
182.73.7.59:8080
163.53.204.180:443
91.75.75.46:80
172.104.46.84:8080
161.49.84.2:80
27.78.27.110:443
203.160.167.243:80
109.99.146.210:8080
120.51.34.254:80
203.56.191.129:8080
183.91.3.63:80
37.46.129.215:8080
188.226.165.170:8080
116.202.10.123:8080
223.17.215.76:80
198.20.228.9:8080
185.208.226.142:8080
68.133.75.203:8080
192.163.221.191:8080
46.105.131.68:8080
8.4.9.137:8080
2.82.75.215:80
178.62.254.156:8080
110.172.180.180:8080
175.103.38.146:80
201.212.61.66:80
190.19.169.69:443
143.95.101.72:8080
91.93.3.85:8080
139.59.12.63:8080
46.32.229.152:8080
195.159.28.244:8080
58.27.215.3:8080
202.29.237.113:8080
5.79.70.250:8080
103.93.220.182:80
75.127.14.170:8080
201.193.160.196:80
139.5.101.203:80
186.96.170.61:80
49.206.16.156:80
178.254.36.182:8080
157.7.164.178:8081
172.96.190.154:8080
172.193.14.201:80
203.153.216.178:7080
2.58.16.86:8080
186.146.229.172:80
117.2.139.117:443
113.161.176.235:80
190.85.46.52:7080
180.148.4.130:8080
50.116.78.109:8080
152.32.75.74:443
162.144.145.58:8080
74.208.173.91:8080
122.116.104.238:8443
178.33.167.120:8080
103.80.51.61:8080
65.32.168.171:80
190.18.184.113:80
24.230.124.78:80
103.229.73.17:8080
179.233.3.89:80
88.58.209.2:80
82.78.179.117:443
115.79.195.246:80
190.107.118.125:80
188.166.220.180:7080
79.133.6.236:8080
139.59.61.215:443
195.201.56.70:8080
201.163.74.204:80
Targets
-
-
Target
71c5f0d22ba9ab90c93b9bb326917e035e75f5d6cbb5dca61cb601defe5c7534
-
Size
148KB
-
MD5
dbe690e7e604f442e10f2d570ed3e78b
-
SHA1
e0e36d104478677270283fc0e4288cd3c4e0ea9b
-
SHA256
71c5f0d22ba9ab90c93b9bb326917e035e75f5d6cbb5dca61cb601defe5c7534
-
SHA512
a45e15950e2e957c38407d1b4bc1946f679a11f7fe9a1fb5e2f99310d0bf27e0e1a87fdbe1ec09102f787187c63174f27b3956e72aed413659e039f9b25d2cfe
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Loads dropped DLL
-
Drops file in System32 directory
-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-