Malware sandboxing report by Hatching Triage

Sharing

Copy URL

Twitter E-mail

General

Target

a.zip
Size

1MB
Sample

210309-2jbxrs1y66
MD5

bcd53bb233998319549d350db7db49d1
SHA1

79cc83704c18a692ea7a5ed222dae223f3b86b3b
SHA256

65cd6ffed28f530f09c94b6455e7ae3ad605875aa79b1e368b82bed7818c34dd
SHA512

28cb2f2de2a25ec509508e2bb4ad414cf52bb804a1897a02e7cfe2a32cdad935eadc9add6e18e2836df8288b1a768424cbd4dd52a4d86f28b8da1a8223efe9a8

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://anjumanclick.com/q/kvM/

exe.dropper

https://duocnhanhoa.com/wp-admin/J5JbVEY/

exe.dropper

https://yellomosquito.com/wp-includes/w/

exe.dropper

https://thaithienson.net/wp-admin/EksZXO/

exe.dropper

http://penambahberatbadan.info/r/pXPKwJ/

exe.dropper

https://thienloc.org/data-sgp-kgfig/AaK/

exe.dropper

https://ecomdemo2.ogsdev.net/wp-content/zWWB/

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://zhongshixingchuang.com/wp-admin/OTm/

exe.dropper

http://www.greaudstudio.com/docs/FGn/

exe.dropper

http://koreankidsedu.com/wp-content/2cQTh/

exe.dropper

http://expeditionquest.com/X/

exe.dropper

https://suriagrofresh.com/serevers/MVDjI/

exe.dropper

http://geoffoglemusic.com/wp-admin/x/

exe.dropper

https://dagranitegiare.com/wp-admin/jCH/

Extracted

Family

emotet

Botnet

Epoch1

184.66.18.83:80

202.187.222.40:80

167.71.148.58:443

211.215.18.93:8080

1.234.65.61:80

80.15.100.37:80

155.186.9.160:80

172.104.169.32:8080

110.39.162.2:443

12.162.84.2:8080

181.136.190.86:80

68.183.190.199:8080

191.223.36.170:80

190.45.24.210:80

81.213.175.132:80

181.120.29.49:80

82.76.111.249:443

177.23.7.151:80

95.76.153.115:80

93.148.247.169:80

rsa_pubkey.plain

Extracted

Family

emotet

Botnet

LEA

80.158.3.161:443

80.158.51.209:8080

80.158.35.51:80

80.158.63.78:443

80.158.53.167:80

80.158.62.194:443

80.158.59.174:8080

80.158.43.136:80

rsa_pubkey.plain

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://biglaughs.org/smallpotatoes/rRwRzc/

exe.dropper

http://josegene.com/theme/gU8/

exe.dropper

http://paulscomputing.com/CraigsMagicSquare/H/

exe.dropper

https://goldilockstraining.com/wp-includes/bftt/

exe.dropper

https://jeffdahlke.com/css/bg4n3/

exe.dropper

http://azraktours.com/wp-content/NWF9jC/

exe.dropper

http://goldcoastoffice365.com/temp/X/

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://fmcav.com/images/7FV4Nd/

exe.dropper

http://theprajinshee.com/otherfiles/wAFP/

exe.dropper

http://www.removepctrojan.com/wp-admin/ak0chH/

exe.dropper

http://www.geosrt.com/aqqhwdap/l0/

exe.dropper

http://geoffoglemusic.com/wp-admin/7C11oAC/

exe.dropper

http://www.achutamanasa.com/garmin-pro-fei8o/mW/

exe.dropper

http://johnloveskim.com/a/Tff/

Targets

- Target
  
  0159.doc
- Size
  
  209KB
- MD5
  
  8e28f73afbc9589c8f3046f45dba8e79
- SHA1
  
  da94793e6dfb9c7d90227a36009092c881f9a525
- SHA256
  
  6f4c3417fddd5dd0eea7bb254bbbb7da54dbf9bac497043143c51a0008b2e1cf
- SHA512
  
  c824c937d8afd0527b1c51ac14036363ddd7e28f096a051d47ecbc0e3e3f068435e1f7ca1ff426e0e04d8e65583816a0e2523694e7171530ebe9b5f7985142be
Score

10^/10
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Drops file in System32 directory
behavioral1 behavioral2
- Target
  
  05504-122020.doc
- Size
  
  208KB
- MD5
  
  129154ace2845c087bbd66916306f1fb
- SHA1
  
  65b731e5b97c63e59c03d2571de02414d4912eeb
- SHA256
  
  effe6ed0eaae43f9ab347679a9abfe647cc606e64c1f742259f8ddc73f58923a
- SHA512
  
  6616267e59fb1fb124b032b800b54d664ed44d8cdcd1ab3851d3fb90746e6264aee748956badbc0327a3b4f05b03c52c7331c9a1a1b7681443037f3273cdfd4a
Score

10^/10
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Drops file in System32 directory
behavioral3 behavioral4
- Target
  
  2180_182_7373.doc
- Size
  
  202KB
- MD5
  
  6a7c63f7c62819d81c626e8b57c790ef
- SHA1
  
  64046c4dc460727d2ab4c465acb96f98087e6bf3
- SHA256
  
  15d50222b0ec97f27bb8af2e29f440d26210af10f413d690f447adbc84b25ad4
- SHA512
  
  1a9d0f3c8ef630287adc71b7c7b734bf5ad567b9b6800856ea13a39873a983d69dbe50e9478ff50a7285097d34c28dcf4c3184bdbc94b11bbcdcd124db9e2f58
Score

10^/10

emotet epoch1 lea banker trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in System32 directory
behavioral5 behavioral6
- Target
  
  54909729_21_122020.doc
- Size
  
  201KB
- MD5
  
  860d2dae30c61fc8b374685a2726d089
- SHA1
  
  5d34c3b40f1980215827abba54d57929776dab2d
- SHA256
  
  af46527c3afb67db04896d6a01ed9457d9c379af2c130e26ff3b2ff9a5cd2639
- SHA512
  
  590b5ca22762a073c8ab7701b5f2a0949625dbbcb6461ab5eac5022c66197a68523a6717e139e27bc1d93461ca95ee66cd83f45851b5e2cea6087793f6595996
Score

10^/10

emotet epoch1 lea banker trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in System32 directory
behavioral7 behavioral8
- Target
  
  84813.doc
- Size
  
  200KB
- MD5
  
  f2065422dbe07efcee89e7b2355ef8c4
- SHA1
  
  fa37a71fe24953b3c8678733c89fe70dd5be76c0
- SHA256
  
  8eb07a5d212d9c3c87c9c739da4694647d5ac601401e0a4add2dc78a61081913
- SHA512
  
  4ad7b3337c344806eaee72d89bff157a9ddc2a66bfe265e011e761db0f58787195ae8d70ca914e3f3be0536a3b31a8b984a63f02ccea5450dd714723657d7463
Score

10^/10

emotet epoch1 banker trojan lea
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in System32 directory
behavioral9 behavioral10
- Target
  
  ARCHIVOFile.doc
- Size
  
  200KB
- MD5
  
  4e85b78af63a61e7ddea0760b6e4e3c5
- SHA1
  
  67ef9d35b257279d1e0fe5488b20bea1c2a1ed8c
- SHA256
  
  25332ae11bc3d7cbfc43fd78f3eeb96f5bd21df4f93dd2bea6eade75cc73db44
- SHA512
  
  623848025adecb4f580b4f0636216d5966641441c20f97fcd92eeef0e96de9a0f1d93ae09085fbca5ae48fa7c7f25579bb21438f8415dccaf08fda03fe87c033
Score

10^/10

emotet epoch1 banker trojan lea
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in System32 directory
behavioral11 behavioral12
- Target
  
  Archivo-122020-481-4753.doc
- Size
  
  201KB
- MD5
  
  2a61e1db564efb537635b45b2cbf235d
- SHA1
  
  d7f45bcc50c83e6f2920285e4934c931d95ac285
- SHA256
  
  ad7ca5a820eee8fa220415696137a31c5a2f50788598d1115bd6bef3bc8a9003
- SHA512
  
  dbd92067d1cd829fdea47328bc328a28b9009a203a03adf3274427065d7e9f184814cecb3b132c03c7f4abe727160e50709e19d1d249b020b90576399b2c61fb
Score

10^/10

emotet epoch1 lea banker trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in System32 directory
behavioral13 behavioral14
- Target
  
  DAT_2020.doc
- Size
  
  200KB
- MD5
  
  e5fa8feb10d2d772e7be4a5b731bbb3b
- SHA1
  
  c50d9553344006d7a43d70536946b0e06c5cc1ed
- SHA256
  
  6ab02806cb13d2944c7df12c9dfc17e72bd46c7285428ef8338e5889776c7fe5
- SHA512
  
  d7d6be3ca4e645836d41a51419645bdc386445011ab3f871df9d439f9083eb8f4308246e4e7fdc775d48f849baa3dd5fc6cc6519034de37617015b9ebf79d039
Score

10^/10

emotet epoch1 banker trojan lea
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in System32 directory
behavioral15 behavioral16
- Target
  
  DAT_2112.doc
- Size
  
  201KB
- MD5
  
  0b0b1ef804382ed6f25b3aa11b657b72
- SHA1
  
  cfd0c0603103c585185433aaf1d53879e97d5d31
- SHA256
  
  687a53748f70c72633a9f00a47b027ca46def57962e21f2150a82e7567bd1c25
- SHA512
  
  7043392bd4604a1321c6253041ebd095eaef2282bc4a35fd9679349a46be0e8a03a7d357a1a4a3000ff9135b2aeeac3438b2a460e51711213b76639a6eafaf5e
Score

10^/10

emotet epoch1 lea banker trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in System32 directory
behavioral17 behavioral18
- Target
  
  Documento-8-92514.doc
- Size
  
  208KB
- MD5
  
  5e106f61c1d088f599c47cf756592171
- SHA1
  
  829d57a809bc9a5ed24afc2beca25703dd48859e
- SHA256
  
  e725bc02dd4202860e222fe77a07432c587de089daa010f4543451a945236d9d
- SHA512
  
  03dafd4aee8a06b0d1da43eefb8f67bcd3b06eff79b8f3b7cad907e6c569928a112c95a812d1a6f90a725bb5a106aa065726ee4f429760174b79d3307584b263
Score

10^/10
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Drops file in System32 directory
behavioral19 behavioral20
- Target
  
  Info_29.doc
- Size
  
  159KB
- MD5
  
  8ae1dced4aa0b93fb54784bbd0c0fc07
- SHA1
  
  02b3440f2f55ed04e48dd49ce824d8fbba2df694
- SHA256
  
  873805d1821aea66b16872720c8cda5fffaefc6ba69f9b05c074262d66b2edea
- SHA512
  
  b85ec2ee2cd39dde94ea170f753fc45e6f204e43d7af1ccb31b8b3421939b55f48ac1fa0f895392b0224e1ef8726ed71d351197261bfb20a4481fa1efd084cf6
Score

10^/10
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Drops file in System32 directory
behavioral21 behavioral22
- Target
  
  MENSAJE.doc
- Size
  
  202KB
- MD5
  
  9d4d116932dca89da824904da20599ec
- SHA1
  
  c3640d3f33701aad9d74217d59dd455469de2aee
- SHA256
  
  d6ac4f01d275ae5367b2b7fb961c3d36bd8e3ca0a05d81a16fcf3fe35979b321
- SHA512
  
  cdb8ce668827e3e6925e9777b8d26f7a95c8eacd69da753d078f5d79458d3e32b8c7765bae6af67b059f3b92fb2e4e90cf005592860713de6ce1753df37eab34
Score

10^/10

emotet epoch1 lea banker trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in System32 directory
behavioral23 behavioral24
- Target
  
  T184213_2020.doc
- Size
  
  208KB
- MD5
  
  5e106f61c1d088f599c47cf756592171
- SHA1
  
  829d57a809bc9a5ed24afc2beca25703dd48859e
- SHA256
  
  e725bc02dd4202860e222fe77a07432c587de089daa010f4543451a945236d9d
- SHA512
  
  03dafd4aee8a06b0d1da43eefb8f67bcd3b06eff79b8f3b7cad907e6c569928a112c95a812d1a6f90a725bb5a106aa065726ee4f429760174b79d3307584b263
Score

10^/10
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Drops file in System32 directory
behavioral25 behavioral26

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Process spawned unexpected child process

Blocklisted process makes network request

Drops file in System32 directory

Process spawned unexpected child process

Blocklisted process makes network request

Drops file in System32 directory

Emotet

Process spawned unexpected child process

Blocklisted process makes network request

Loads dropped DLL

Drops file in System32 directory

Emotet

Process spawned unexpected child process

Blocklisted process makes network request

Loads dropped DLL

Drops file in System32 directory

Emotet

Process spawned unexpected child process

Blocklisted process makes network request

Loads dropped DLL

Drops file in System32 directory

Emotet

Process spawned unexpected child process

Blocklisted process makes network request

Loads dropped DLL

Drops file in System32 directory

Emotet

Process spawned unexpected child process

Blocklisted process makes network request

Loads dropped DLL

Drops file in System32 directory

Emotet

Process spawned unexpected child process

Blocklisted process makes network request

Loads dropped DLL

Drops file in System32 directory

Emotet

Process spawned unexpected child process

Blocklisted process makes network request

Loads dropped DLL

Drops file in System32 directory

Process spawned unexpected child process

Blocklisted process makes network request

Drops file in System32 directory

Process spawned unexpected child process

Blocklisted process makes network request

Drops file in System32 directory

Emotet

Process spawned unexpected child process

Blocklisted process makes network request

Loads dropped DLL

Drops file in System32 directory

Process spawned unexpected child process

Blocklisted process makes network request

Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12