Overview

overview

10

Static

static

8

91838d966b...c4.doc

windows7_x64

10

91838d966b...c4.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    91838d966b87d7050c800b95ea4cffdeb6104358403b294e5da10f87540f99c4

  • Size

    168KB

  • Sample

    210211-zq8blc77xn

  • MD5

    d63f3d22f23e80f57e5832c274b03653

  • SHA1

    3fc9783709279af2306bba8dd5b78dc59024a7a9

  • SHA256

    91838d966b87d7050c800b95ea4cffdeb6104358403b294e5da10f87540f99c4

  • SHA512

    f6cb2ae2f9a364c93e77ef080cb2d0b3e48198d11ef22fed2cc8f2d5e9b3c72de52bcaa0f41fabcd23eca62e8f7580148e2439cbec0f32e8fbd85f2399823508

Score
10/10
emotetepoch2bankermacrotrojanxlm

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://dripsweet.com/wp-admin/gTiO/
exe.dropper

http://jbsmediaventures.com/wp-content/V/
exe.dropper

https://www.r3-tech.biz/wp-admin/VT/
exe.dropper

http://yaginc.com/images/tk/
exe.dropper

http://novo2.deussalveobrasil.com.br/tractor-parts-gh28c/9/
exe.dropper

http://trekkingfestival.com/demo/C/
exe.dropper

http://narmada.mykfn.com/app/DqKG1/

Extracted

Family

emotet

Botnet

Epoch2

C2

69.38.130.14:80

195.159.28.230:8080

162.241.204.233:8080

115.21.224.117:80

78.189.148.42:80

181.165.68.127:80

78.188.225.105:80

161.0.153.60:80

89.106.251.163:80

172.125.40.123:80

5.39.91.110:7080

110.145.11.73:80

190.251.200.206:80

144.217.7.207:7080

75.109.111.18:80

75.177.207.146:80

139.59.60.244:8080

70.183.211.3:80

95.213.236.64:8080

61.19.246.238:443
rsa_pubkey.plain

Targets

    • Target

      91838d966b87d7050c800b95ea4cffdeb6104358403b294e5da10f87540f99c4

    • Size

      168KB

    • MD5

      d63f3d22f23e80f57e5832c274b03653

    • SHA1

      3fc9783709279af2306bba8dd5b78dc59024a7a9

    • SHA256

      91838d966b87d7050c800b95ea4cffdeb6104358403b294e5da10f87540f99c4

    • SHA512

      f6cb2ae2f9a364c93e77ef080cb2d0b3e48198d11ef22fed2cc8f2d5e9b3c72de52bcaa0f41fabcd23eca62e8f7580148e2439cbec0f32e8fbd85f2399823508

    Score
    10/10
    emotetepoch2bankertrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks