Overview

overview

10

Static

static

8

715082.doc

windows7_x64

10

715082.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    715082.zip

  • Size

    85KB

  • Sample

    210212-dsqw2m2ed6

  • MD5

    f2450c9a34e4ce97a9f2ed3a69c112e3

  • SHA1

    b7acbd4c500c7dbb197dc153039ef4d4aee87d4d

  • SHA256

    e655f6d38b4fe6444a4ff777df30d395bae250cbf5dce0f9dd9267a344c01c47

  • SHA512

    768091f5566bca81c19dd495a6597dfd5faf54c7571d5d26af2a525d1a6c53ef15e32367b529a0bab400babc4d5a13564e26fc3de6224b91cd6c14dc5317e2fd

Score
10/10
emotetepoch1bankermacrotrojanxlm

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://zhongsijiacheng.com/wp-content/jn5/
exe.dropper

http://artistascitizen.com/wp-content/Bx3cr6/
exe.dropper

http://ombchardin.com/archive/V/
exe.dropper

https://apsolution.work/magneti-marelli-zkkmb/toq7Eiy/
exe.dropper

https://happycheftv.com/wp-admin/z6uGcbY/
exe.dropper

https://careercoachconnection.com/tenderometer/4K/
exe.dropper

https://tacademicos.com/content/JbF68i/

Extracted

Family

emotet

Botnet

Epoch1

C2

181.10.46.92:80

2.58.16.88:8080

206.189.232.2:8080

178.250.54.208:8080

167.71.148.58:443

202.134.4.210:7080

187.162.248.237:80

78.206.229.130:80

85.214.26.7:8080

5.196.35.138:7080

1.226.84.243:8080

110.39.162.2:443

185.183.16.47:80

152.231.89.226:80

138.97.60.141:7080

94.176.234.118:443

46.101.58.37:8080

93.146.143.191:80

70.32.84.74:8080

137.74.106.111:7080
rsa_pubkey.plain

Targets

    • Target

      715082.doc

    • Size

      159KB

    • MD5

      439c9779f4eb98afacdc55bb14e0f1f1

    • SHA1

      e2710777a7b7a97233b181f1080aa46cba8bcd27

    • SHA256

      be5a6da37fac071766412acb88d25ffd84dc8423a1e9c74c5cce310e12456b10

    • SHA512

      b59e497db0d4282940fc67194c95d9ce6ebbaf6b3666090bbc6843fd120f1d0775cf534d98b2b80e14a88a7522a1fef1b6628e8206206d03ad2b40a98cb84dc3

    Score
    10/10
    emotetepoch1bankertrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks