d297c0a4c89de58051ca734994c514d423a71d1a0fcad5c1da9a76f402bd3bbe

General
Target

d297c0a4c89de58051ca734994c514d423a71d1a0fcad5c1da9a76f402bd3bbe

Size

164KB

Sample

210211-w1trhbajaj

Score
10 /10
MD5

02b2dee96e10003270606dfd7e059d23

SHA1

defe94b8ae07e6c5db6942bc7d020b615c4ba75d

SHA256

d297c0a4c89de58051ca734994c514d423a71d1a0fcad5c1da9a76f402bd3bbe

SHA512

4ebd0002c4c75788efdcd928d86da802c0a7d7152e96d6d900c72c656e14fbe62562aa8dff5f409ef1c158fb36c3e05a065c07093b104d3ae10e7ff0cc7c02a4

Malware Config

Extracted

Language ps1
Deobfuscated
URLs
exe.dropper

http://www.achutamanasa.com/media/Te/

exe.dropper

http://opticaquilin.cl/wp-includes/FFueL/

exe.dropper

https://www.infoquick.co.uk/assets/h/

exe.dropper

http://vilajansen.com.br/loja_old_1/p/

exe.dropper

http://oftalmovilaplana.com/wp-includes/wfKu/

exe.dropper

https://cashyinvestment.org/wp-content/21dIZ/

exe.dropper

http://merkadito.mx/upload/6/

Extracted

Family emotet
Botnet Epoch2
C2

12.175.220.98:80

162.241.204.233:8080

50.116.111.59:8080

172.86.188.251:8080

139.99.158.11:443

66.57.108.14:443

75.177.207.146:80

194.190.67.75:80

50.245.107.73:443

173.70.61.180:80

85.105.205.77:8080

104.131.11.150:443

62.75.141.82:80

70.92.118.112:80

194.4.58.192:7080

120.150.60.189:80

24.231.88.85:80

78.24.219.147:8080

110.142.236.207:80

119.59.116.21:8080

144.217.7.207:7080

95.213.236.64:8080

46.105.131.79:8080

176.111.60.55:8080

174.118.202.24:443

94.23.237.171:443

138.68.87.218:443

110.145.101.66:443

134.209.144.106:443

74.208.45.104:8080

24.178.90.49:80

172.125.40.123:80

157.245.99.39:8080

118.83.154.64:443

202.134.4.211:8080

121.124.124.40:7080

172.104.97.173:8080

110.145.11.73:80

172.105.13.66:443

168.235.67.138:7080

78.188.225.105:80

59.21.235.119:80

185.94.252.104:443

24.179.13.119:80

49.205.182.134:80

51.89.36.180:443

115.21.224.117:80

202.134.4.216:8080

190.251.200.206:80

78.189.148.42:80

rsa_pubkey.plain
Targets
Target

d297c0a4c89de58051ca734994c514d423a71d1a0fcad5c1da9a76f402bd3bbe

MD5

02b2dee96e10003270606dfd7e059d23

Filesize

164KB

Score
10/10
SHA1

defe94b8ae07e6c5db6942bc7d020b615c4ba75d

SHA256

d297c0a4c89de58051ca734994c514d423a71d1a0fcad5c1da9a76f402bd3bbe

SHA512

4ebd0002c4c75788efdcd928d86da802c0a7d7152e96d6d900c72c656e14fbe62562aa8dff5f409ef1c158fb36c3e05a065c07093b104d3ae10e7ff0cc7c02a4

Tags

Signatures

  • Emotet

    Description

    Emotet is a trojan that is primarily spread through spam emails.

    Tags

  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request

  • Loads dropped DLL

  • Drops file in System32 directory

  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Tasks

                      static1

                      8/10

                      behavioral1

                      10/10

                      behavioral2

                      10/10