91838d966b87d7050c800b95ea4cffdeb6104358403b294e5da10f87540f99c4

General
Target

91838d966b87d7050c800b95ea4cffdeb6104358403b294e5da10f87540f99c4

Size

168KB

Sample

210211-zq8blc77xn

Score
10 /10
MD5

d63f3d22f23e80f57e5832c274b03653

SHA1

3fc9783709279af2306bba8dd5b78dc59024a7a9

SHA256

91838d966b87d7050c800b95ea4cffdeb6104358403b294e5da10f87540f99c4

SHA512

f6cb2ae2f9a364c93e77ef080cb2d0b3e48198d11ef22fed2cc8f2d5e9b3c72de52bcaa0f41fabcd23eca62e8f7580148e2439cbec0f32e8fbd85f2399823508

Malware Config

Extracted

Language ps1
Deobfuscated
URLs
exe.dropper

http://dripsweet.com/wp-admin/gTiO/

 exe.dropper

http://jbsmediaventures.com/wp-content/V/

 exe.dropper

https://www.r3-tech.biz/wp-admin/VT/

 exe.dropper

http://yaginc.com/images/tk/

 exe.dropper

http://novo2.deussalveobrasil.com.br/tractor-parts-gh28c/9/

 exe.dropper

http://trekkingfestival.com/demo/C/

 exe.dropper

http://narmada.mykfn.com/app/DqKG1/

Extracted

Family emotet
Botnet Epoch2
C2

69.38.130.14:80

195.159.28.230:8080

162.241.204.233:8080

115.21.224.117:80

78.189.148.42:80

181.165.68.127:80

78.188.225.105:80

161.0.153.60:80

89.106.251.163:80

172.125.40.123:80

5.39.91.110:7080

110.145.11.73:80

190.251.200.206:80

144.217.7.207:7080

75.109.111.18:80

75.177.207.146:80

139.59.60.244:8080

70.183.211.3:80

95.213.236.64:8080

61.19.246.238:443

174.118.202.24:443

71.72.196.159:80

138.68.87.218:443

24.164.79.147:8080

49.205.182.134:80

24.231.88.85:80

121.124.124.40:7080

95.9.5.93:80

118.83.154.64:443

78.24.219.147:8080

104.131.11.150:443

85.105.205.77:8080

108.53.88.101:443

187.161.206.24:80

203.153.216.189:7080

37.187.72.193:8080

185.94.252.104:443

157.245.99.39:8080

50.91.114.38:80

87.106.139.101:8080

74.128.121.17:80

62.75.141.82:80

37.139.21.175:8080

190.103.228.24:80

134.209.144.106:443

78.182.254.231:80

186.74.215.34:80

180.222.161.85:80

69.49.88.46:80

202.134.4.211:8080
rsa_pubkey.plain
Targets
Target

91838d966b87d7050c800b95ea4cffdeb6104358403b294e5da10f87540f99c4

MD5

d63f3d22f23e80f57e5832c274b03653

Filesize

168KB

Score
10/10
SHA1

3fc9783709279af2306bba8dd5b78dc59024a7a9

SHA256

91838d966b87d7050c800b95ea4cffdeb6104358403b294e5da10f87540f99c4

SHA512

f6cb2ae2f9a364c93e77ef080cb2d0b3e48198d11ef22fed2cc8f2d5e9b3c72de52bcaa0f41fabcd23eca62e8f7580148e2439cbec0f32e8fbd85f2399823508

Tags

Signatures

  • Emotet

    Description

    Emotet is a trojan that is primarily spread through spam emails.

    Tags

  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request

  • Loads dropped DLL

  • Drops file in System32 directory

  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery

Related Tasks

behavioral1behavioral2
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Tasks

                      static1

                      8/10

                      behavioral1

                      10/10

                      behavioral2

                      10/10