Overview

overview

10

Static

static

8

e3e36943a8...5d.doc

windows7_x64

10

e3e36943a8...5d.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e3e36943a883fd58040051eca25d8bc45e43b13335178d371496aa1a21cb925d

  • Size

    167KB

  • Sample

    210211-rny1117a3e

  • MD5

    638d1d539e13424a5c555bfcf025abad

  • SHA1

    5d5878c2bd87669f6d1194ddfe120094a2590795

  • SHA256

    e3e36943a883fd58040051eca25d8bc45e43b13335178d371496aa1a21cb925d

  • SHA512

    b5b354f4fdbfb411d727b63f0d61a5dcff2d4936cd268b320fa27932e3f4feb54d65135855115272b09147ca3464a7cc28c3cb254359abb527c948a8b759e7ed

Score
10/10
emotetepoch2bankermacrotrojanxlm

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://dripsweet.com/wp-admin/gTiO/
exe.dropper

http://jbsmediaventures.com/wp-content/V/
exe.dropper

https://www.r3-tech.biz/wp-admin/VT/
exe.dropper

http://yaginc.com/images/tk/
exe.dropper

http://novo2.deussalveobrasil.com.br/tractor-parts-gh28c/9/
exe.dropper

http://trekkingfestival.com/demo/C/
exe.dropper

http://narmada.mykfn.com/app/DqKG1/

Extracted

Family

emotet

Botnet

Epoch2

C2

69.38.130.14:80

195.159.28.230:8080

162.241.204.233:8080

115.21.224.117:80

78.189.148.42:80

181.165.68.127:80

78.188.225.105:80

161.0.153.60:80

89.106.251.163:80

172.125.40.123:80

5.39.91.110:7080

110.145.11.73:80

190.251.200.206:80

144.217.7.207:7080

75.109.111.18:80

75.177.207.146:80

139.59.60.244:8080

70.183.211.3:80

95.213.236.64:8080

61.19.246.238:443
rsa_pubkey.plain

Targets

    • Target

      e3e36943a883fd58040051eca25d8bc45e43b13335178d371496aa1a21cb925d

    • Size

      167KB

    • MD5

      638d1d539e13424a5c555bfcf025abad

    • SHA1

      5d5878c2bd87669f6d1194ddfe120094a2590795

    • SHA256

      e3e36943a883fd58040051eca25d8bc45e43b13335178d371496aa1a21cb925d

    • SHA512

      b5b354f4fdbfb411d727b63f0d61a5dcff2d4936cd268b320fa27932e3f4feb54d65135855115272b09147ca3464a7cc28c3cb254359abb527c948a8b759e7ed

    Score
    10/10
    emotetepoch2bankertrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks