General

  • Target

    a.zip

  • Size

    1.2MB

  • Sample

    210309-2jbxrs1y66

  • MD5

    bcd53bb233998319549d350db7db49d1

  • SHA1

    79cc83704c18a692ea7a5ed222dae223f3b86b3b

  • SHA256

    65cd6ffed28f530f09c94b6455e7ae3ad605875aa79b1e368b82bed7818c34dd

  • SHA512

    28cb2f2de2a25ec509508e2bb4ad414cf52bb804a1897a02e7cfe2a32cdad935eadc9add6e18e2836df8288b1a768424cbd4dd52a4d86f28b8da1a8223efe9a8

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://anjumanclick.com/q/kvM/

exe.dropper

https://duocnhanhoa.com/wp-admin/J5JbVEY/

exe.dropper

https://yellomosquito.com/wp-includes/w/

exe.dropper

https://thaithienson.net/wp-admin/EksZXO/

exe.dropper

http://penambahberatbadan.info/r/pXPKwJ/

exe.dropper

https://thienloc.org/data-sgp-kgfig/AaK/

exe.dropper

https://ecomdemo2.ogsdev.net/wp-content/zWWB/

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://zhongshixingchuang.com/wp-admin/OTm/

exe.dropper

http://www.greaudstudio.com/docs/FGn/

exe.dropper

http://koreankidsedu.com/wp-content/2cQTh/

exe.dropper

http://expeditionquest.com/X/

exe.dropper

https://suriagrofresh.com/serevers/MVDjI/

exe.dropper

http://geoffoglemusic.com/wp-admin/x/

exe.dropper

https://dagranitegiare.com/wp-admin/jCH/

Extracted

Family

emotet

Botnet

Epoch1

C2

184.66.18.83:80

202.187.222.40:80

167.71.148.58:443

211.215.18.93:8080

1.234.65.61:80

80.15.100.37:80

155.186.9.160:80

172.104.169.32:8080

110.39.162.2:443

12.162.84.2:8080

181.136.190.86:80

68.183.190.199:8080

191.223.36.170:80

190.45.24.210:80

81.213.175.132:80

181.120.29.49:80

82.76.111.249:443

177.23.7.151:80

95.76.153.115:80

93.148.247.169:80

rsa_pubkey.plain

Extracted

Family

emotet

Botnet

LEA

C2

80.158.3.161:443

80.158.51.209:8080

80.158.35.51:80

80.158.63.78:443

80.158.53.167:80

80.158.62.194:443

80.158.59.174:8080

80.158.43.136:80

rsa_pubkey.plain

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://biglaughs.org/smallpotatoes/rRwRzc/

exe.dropper

http://josegene.com/theme/gU8/

exe.dropper

http://paulscomputing.com/CraigsMagicSquare/H/

exe.dropper

https://goldilockstraining.com/wp-includes/bftt/

exe.dropper

https://jeffdahlke.com/css/bg4n3/

exe.dropper

http://azraktours.com/wp-content/NWF9jC/

exe.dropper

http://goldcoastoffice365.com/temp/X/

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://fmcav.com/images/7FV4Nd/

exe.dropper

http://theprajinshee.com/otherfiles/wAFP/

exe.dropper

http://www.removepctrojan.com/wp-admin/ak0chH/

exe.dropper

http://www.geosrt.com/aqqhwdap/l0/

exe.dropper

http://geoffoglemusic.com/wp-admin/7C11oAC/

exe.dropper

http://www.achutamanasa.com/garmin-pro-fei8o/mW/

exe.dropper

http://johnloveskim.com/a/Tff/

Targets

    • Target

      0159.doc

    • Size

      209KB

    • MD5

      8e28f73afbc9589c8f3046f45dba8e79

    • SHA1

      da94793e6dfb9c7d90227a36009092c881f9a525

    • SHA256

      6f4c3417fddd5dd0eea7bb254bbbb7da54dbf9bac497043143c51a0008b2e1cf

    • SHA512

      c824c937d8afd0527b1c51ac14036363ddd7e28f096a051d47ecbc0e3e3f068435e1f7ca1ff426e0e04d8e65583816a0e2523694e7171530ebe9b5f7985142be

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Drops file in System32 directory

    • Target

      05504-122020.doc

    • Size

      208KB

    • MD5

      129154ace2845c087bbd66916306f1fb

    • SHA1

      65b731e5b97c63e59c03d2571de02414d4912eeb

    • SHA256

      effe6ed0eaae43f9ab347679a9abfe647cc606e64c1f742259f8ddc73f58923a

    • SHA512

      6616267e59fb1fb124b032b800b54d664ed44d8cdcd1ab3851d3fb90746e6264aee748956badbc0327a3b4f05b03c52c7331c9a1a1b7681443037f3273cdfd4a

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Drops file in System32 directory

    • Target

      2180_182_7373.doc

    • Size

      202KB

    • MD5

      6a7c63f7c62819d81c626e8b57c790ef

    • SHA1

      64046c4dc460727d2ab4c465acb96f98087e6bf3

    • SHA256

      15d50222b0ec97f27bb8af2e29f440d26210af10f413d690f447adbc84b25ad4

    • SHA512

      1a9d0f3c8ef630287adc71b7c7b734bf5ad567b9b6800856ea13a39873a983d69dbe50e9478ff50a7285097d34c28dcf4c3184bdbc94b11bbcdcd124db9e2f58

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

    • Target

      54909729_21_122020.doc

    • Size

      201KB

    • MD5

      860d2dae30c61fc8b374685a2726d089

    • SHA1

      5d34c3b40f1980215827abba54d57929776dab2d

    • SHA256

      af46527c3afb67db04896d6a01ed9457d9c379af2c130e26ff3b2ff9a5cd2639

    • SHA512

      590b5ca22762a073c8ab7701b5f2a0949625dbbcb6461ab5eac5022c66197a68523a6717e139e27bc1d93461ca95ee66cd83f45851b5e2cea6087793f6595996

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

    • Target

      84813.doc

    • Size

      200KB

    • MD5

      f2065422dbe07efcee89e7b2355ef8c4

    • SHA1

      fa37a71fe24953b3c8678733c89fe70dd5be76c0

    • SHA256

      8eb07a5d212d9c3c87c9c739da4694647d5ac601401e0a4add2dc78a61081913

    • SHA512

      4ad7b3337c344806eaee72d89bff157a9ddc2a66bfe265e011e761db0f58787195ae8d70ca914e3f3be0536a3b31a8b984a63f02ccea5450dd714723657d7463

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

    • Target

      ARCHIVOFile.doc

    • Size

      200KB

    • MD5

      4e85b78af63a61e7ddea0760b6e4e3c5

    • SHA1

      67ef9d35b257279d1e0fe5488b20bea1c2a1ed8c

    • SHA256

      25332ae11bc3d7cbfc43fd78f3eeb96f5bd21df4f93dd2bea6eade75cc73db44

    • SHA512

      623848025adecb4f580b4f0636216d5966641441c20f97fcd92eeef0e96de9a0f1d93ae09085fbca5ae48fa7c7f25579bb21438f8415dccaf08fda03fe87c033

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

    • Target

      Archivo-122020-481-4753.doc

    • Size

      201KB

    • MD5

      2a61e1db564efb537635b45b2cbf235d

    • SHA1

      d7f45bcc50c83e6f2920285e4934c931d95ac285

    • SHA256

      ad7ca5a820eee8fa220415696137a31c5a2f50788598d1115bd6bef3bc8a9003

    • SHA512

      dbd92067d1cd829fdea47328bc328a28b9009a203a03adf3274427065d7e9f184814cecb3b132c03c7f4abe727160e50709e19d1d249b020b90576399b2c61fb

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

    • Target

      DAT_2020.doc

    • Size

      200KB

    • MD5

      e5fa8feb10d2d772e7be4a5b731bbb3b

    • SHA1

      c50d9553344006d7a43d70536946b0e06c5cc1ed

    • SHA256

      6ab02806cb13d2944c7df12c9dfc17e72bd46c7285428ef8338e5889776c7fe5

    • SHA512

      d7d6be3ca4e645836d41a51419645bdc386445011ab3f871df9d439f9083eb8f4308246e4e7fdc775d48f849baa3dd5fc6cc6519034de37617015b9ebf79d039

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

    • Target

      DAT_2112.doc

    • Size

      201KB

    • MD5

      0b0b1ef804382ed6f25b3aa11b657b72

    • SHA1

      cfd0c0603103c585185433aaf1d53879e97d5d31

    • SHA256

      687a53748f70c72633a9f00a47b027ca46def57962e21f2150a82e7567bd1c25

    • SHA512

      7043392bd4604a1321c6253041ebd095eaef2282bc4a35fd9679349a46be0e8a03a7d357a1a4a3000ff9135b2aeeac3438b2a460e51711213b76639a6eafaf5e

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

    • Target

      Documento-8-92514.doc

    • Size

      208KB

    • MD5

      5e106f61c1d088f599c47cf756592171

    • SHA1

      829d57a809bc9a5ed24afc2beca25703dd48859e

    • SHA256

      e725bc02dd4202860e222fe77a07432c587de089daa010f4543451a945236d9d

    • SHA512

      03dafd4aee8a06b0d1da43eefb8f67bcd3b06eff79b8f3b7cad907e6c569928a112c95a812d1a6f90a725bb5a106aa065726ee4f429760174b79d3307584b263

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Drops file in System32 directory

    • Target

      Info_29.doc

    • Size

      159KB

    • MD5

      8ae1dced4aa0b93fb54784bbd0c0fc07

    • SHA1

      02b3440f2f55ed04e48dd49ce824d8fbba2df694

    • SHA256

      873805d1821aea66b16872720c8cda5fffaefc6ba69f9b05c074262d66b2edea

    • SHA512

      b85ec2ee2cd39dde94ea170f753fc45e6f204e43d7af1ccb31b8b3421939b55f48ac1fa0f895392b0224e1ef8726ed71d351197261bfb20a4481fa1efd084cf6

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Drops file in System32 directory

    • Target

      MENSAJE.doc

    • Size

      202KB

    • MD5

      9d4d116932dca89da824904da20599ec

    • SHA1

      c3640d3f33701aad9d74217d59dd455469de2aee

    • SHA256

      d6ac4f01d275ae5367b2b7fb961c3d36bd8e3ca0a05d81a16fcf3fe35979b321

    • SHA512

      cdb8ce668827e3e6925e9777b8d26f7a95c8eacd69da753d078f5d79458d3e32b8c7765bae6af67b059f3b92fb2e4e90cf005592860713de6ce1753df37eab34

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

    • Target

      T184213_2020.doc

    • Size

      208KB

    • MD5

      5e106f61c1d088f599c47cf756592171

    • SHA1

      829d57a809bc9a5ed24afc2beca25703dd48859e

    • SHA256

      e725bc02dd4202860e222fe77a07432c587de089daa010f4543451a945236d9d

    • SHA512

      03dafd4aee8a06b0d1da43eefb8f67bcd3b06eff79b8f3b7cad907e6c569928a112c95a812d1a6f90a725bb5a106aa065726ee4f429760174b79d3307584b263

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

13
T1112

Discovery

Query Registry

24
T1012

System Information Discovery

32
T1082

Tasks

static1

macro
Score
8/10

behavioral1

Score
10/10

behavioral2

Score
10/10

behavioral3

Score
10/10

behavioral4

Score
10/10

behavioral5

emotetepoch1leabankertrojan
Score
10/10

behavioral6

emotetepoch1leabankertrojan
Score
10/10

behavioral7

emotetepoch1leabankertrojan
Score
10/10

behavioral8

emotetepoch1leabankertrojan
Score
10/10

behavioral9

emotetepoch1bankertrojan
Score
10/10

behavioral10

emotetepoch1leabankertrojan
Score
10/10

behavioral11

emotetepoch1bankertrojan
Score
10/10

behavioral12

emotetepoch1leabankertrojan
Score
10/10

behavioral13

emotetepoch1leabankertrojan
Score
10/10

behavioral14

emotetepoch1leabankertrojan
Score
10/10

behavioral15

emotetepoch1bankertrojan
Score
10/10

behavioral16

emotetepoch1leabankertrojan
Score
10/10

behavioral17

emotetepoch1leabankertrojan
Score
10/10

behavioral18

Score
1/10

behavioral19

Score
10/10

behavioral20

Score
10/10

behavioral21

Score
10/10

behavioral22

Score
10/10

behavioral23

emotetepoch1leabankertrojan
Score
10/10

behavioral24

emotetepoch1leabankertrojan
Score
10/10

behavioral25

Score
10/10

behavioral26

Score
10/10