Overview

overview

10

Static

static

8

71c5f0d22b...34.doc

windows7_x64

10

71c5f0d22b...34.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    71c5f0d22ba9ab90c93b9bb326917e035e75f5d6cbb5dca61cb601defe5c7534

  • Size

    148KB

  • Sample

    210211-bj8zqld4p2

  • MD5

    dbe690e7e604f442e10f2d570ed3e78b

  • SHA1

    e0e36d104478677270283fc0e4288cd3c4e0ea9b

  • SHA256

    71c5f0d22ba9ab90c93b9bb326917e035e75f5d6cbb5dca61cb601defe5c7534

  • SHA512

    a45e15950e2e957c38407d1b4bc1946f679a11f7fe9a1fb5e2f99310d0bf27e0e1a87fdbe1ec09102f787187c63174f27b3956e72aed413659e039f9b25d2cfe

Score
10/10
emotetepoch3bankermacrotrojanxlm

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://gethumvee.com/improvisate/HVTtdmsZ/
exe.dropper

http://arch.nqu.edu.tw/wordpress/w7F/
exe.dropper

http://hindumedia.in/microsporous/P7m/
exe.dropper

http://pageshare.net/sales/tzV/
exe.dropper

http://bgmtechnologies.com/4131325866/sg/
exe.dropper

http://popperandshow.com/248152296/ccXqKYPqQ/

Extracted

Family

emotet

Botnet

Epoch3

C2

132.248.38.158:80

203.157.152.9:7080

157.245.145.87:443

110.37.224.243:80

70.32.89.105:8080

185.142.236.163:443

192.241.220.183:8080

91.83.93.103:443

54.38.143.245:8080

192.210.217.94:8080

37.205.9.252:7080

78.90.78.210:80

182.73.7.59:8080

163.53.204.180:443

91.75.75.46:80

172.104.46.84:8080

161.49.84.2:80

27.78.27.110:443

203.160.167.243:80

109.99.146.210:8080
rsa_pubkey.plain

Targets

    • Target

      71c5f0d22ba9ab90c93b9bb326917e035e75f5d6cbb5dca61cb601defe5c7534

    • Size

      148KB

    • MD5

      dbe690e7e604f442e10f2d570ed3e78b

    • SHA1

      e0e36d104478677270283fc0e4288cd3c4e0ea9b

    • SHA256

      71c5f0d22ba9ab90c93b9bb326917e035e75f5d6cbb5dca61cb601defe5c7534

    • SHA512

      a45e15950e2e957c38407d1b4bc1946f679a11f7fe9a1fb5e2f99310d0bf27e0e1a87fdbe1ec09102f787187c63174f27b3956e72aed413659e039f9b25d2cfe

    Score
    10/10
    emotetepoch3bankertrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks