Overview

overview

10

Static

static

8

f293fd0bb1...f0.doc

windows7_x64

10

f293fd0bb1...f0.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f293fd0bb1eb18785e2d14275e58f164a0d62ad2b65115866121f4d9bf0482f0

  • Size

    102KB

  • Sample

    210211-f28l14z7g6

  • MD5

    fb4bedb321ff2b44db6f3a95aa870756

  • SHA1

    8d298b6c7231a8a3bc56d88cd83448de24f82af2

  • SHA256

    f293fd0bb1eb18785e2d14275e58f164a0d62ad2b65115866121f4d9bf0482f0

  • SHA512

    b8e5987b0a5d7104b817b504fe6ebf231ba6f2eb00eada291f284da56dfc6893a03ff07f8d3c15f7019f23b4810cc84a2d818039a6e49ca874ab7759f8f1049e

Score
10/10
emotetepoch3bankermacrotrojanxlm

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://ordertaker.jakagroup.com/2f77k7i6/E/
exe.dropper

https://edge-tech.uk/flacon/61RO7/
exe.dropper

http://solicwebaps.azurewebsites.net/allam-cycle-1c4gn/KLBX/
exe.dropper

https://www.taradhuay.com/d/It4Iwlo/
exe.dropper

http://istanbulhaliyikamacim.com/content/I9Ogfopdi7/
exe.dropper

https://gmthearingsolution.com/cgi-bin/lrZkqL/

Extracted

Family

emotet

Botnet

Epoch3

C2

190.55.186.229:80

203.157.152.9:7080

157.245.145.87:443

109.99.146.210:8080

116.202.10.123:8080

172.96.190.154:8080

163.53.204.180:443

190.107.118.125:80

91.93.3.85:8080

185.142.236.163:443

115.79.195.246:80

120.51.34.254:80

192.210.217.94:8080

198.20.228.9:8080

91.75.75.46:80

54.38.143.245:8080

161.49.84.2:80

162.144.145.58:8080

178.33.167.120:8080

201.193.160.196:80
rsa_pubkey.plain

Targets

    • Target

      f293fd0bb1eb18785e2d14275e58f164a0d62ad2b65115866121f4d9bf0482f0

    • Size

      102KB

    • MD5

      fb4bedb321ff2b44db6f3a95aa870756

    • SHA1

      8d298b6c7231a8a3bc56d88cd83448de24f82af2

    • SHA256

      f293fd0bb1eb18785e2d14275e58f164a0d62ad2b65115866121f4d9bf0482f0

    • SHA512

      b8e5987b0a5d7104b817b504fe6ebf231ba6f2eb00eada291f284da56dfc6893a03ff07f8d3c15f7019f23b4810cc84a2d818039a6e49ca874ab7759f8f1049e

    Score
    10/10
    emotetepoch3bankertrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks