General
-
Target
2180_182_7373.doc
-
Size
202KB
-
Sample
210309-3ftefp3g1a
-
MD5
6a7c63f7c62819d81c626e8b57c790ef
-
SHA1
64046c4dc460727d2ab4c465acb96f98087e6bf3
-
SHA256
15d50222b0ec97f27bb8af2e29f440d26210af10f413d690f447adbc84b25ad4
-
SHA512
1a9d0f3c8ef630287adc71b7c7b734bf5ad567b9b6800856ea13a39873a983d69dbe50e9478ff50a7285097d34c28dcf4c3184bdbc94b11bbcdcd124db9e2f58
Static task
static1
Malware Config
Extracted
http://zhongshixingchuang.com/wp-admin/OTm/
http://www.greaudstudio.com/docs/FGn/
http://koreankidsedu.com/wp-content/2cQTh/
http://expeditionquest.com/X/
https://suriagrofresh.com/serevers/MVDjI/
http://geoffoglemusic.com/wp-admin/x/
https://dagranitegiare.com/wp-admin/jCH/
Extracted
emotet
Epoch1
184.66.18.83:80
202.187.222.40:80
167.71.148.58:443
211.215.18.93:8080
1.234.65.61:80
80.15.100.37:80
155.186.9.160:80
172.104.169.32:8080
110.39.162.2:443
12.162.84.2:8080
181.136.190.86:80
68.183.190.199:8080
191.223.36.170:80
190.45.24.210:80
81.213.175.132:80
181.120.29.49:80
82.76.111.249:443
177.23.7.151:80
95.76.153.115:80
93.148.247.169:80
51.255.165.160:8080
213.52.74.198:80
178.250.54.208:8080
202.134.4.210:7080
138.97.60.141:7080
94.176.234.118:443
190.24.243.186:80
46.43.2.95:8080
197.232.36.108:80
77.78.196.173:443
59.148.253.194:8080
212.71.237.140:8080
46.101.58.37:8080
110.39.160.38:443
83.169.21.32:7080
189.2.177.210:443
81.214.253.80:443
51.15.7.145:80
172.245.248.239:8080
177.85.167.10:80
178.211.45.66:8080
5.196.35.138:7080
71.58.233.254:80
168.121.4.238:80
149.202.72.142:7080
185.183.16.47:80
191.241.233.198:80
209.236.123.42:8080
190.114.254.163:8080
70.32.84.74:8080
138.97.60.140:8080
68.183.170.114:8080
192.232.229.53:4143
62.84.75.50:80
113.163.216.135:80
46.105.114.137:8080
177.144.130.105:8080
192.232.229.54:7080
192.175.111.212:7080
35.143.99.174:80
81.215.230.173:443
1.226.84.243:8080
187.162.248.237:80
152.169.22.67:80
137.74.106.111:7080
191.182.6.118:80
181.61.182.143:80
202.79.24.136:443
50.28.51.143:8080
85.214.26.7:8080
170.81.48.2:80
111.67.12.222:8080
177.144.130.105:443
188.225.32.231:7080
185.94.252.27:443
12.163.208.58:80
191.53.80.88:80
87.106.46.107:8080
122.201.23.45:443
181.30.61.163:443
104.131.41.185:8080
190.195.129.227:8090
45.184.103.73:80
186.146.13.184:443
45.16.226.117:443
187.162.250.23:443
2.80.112.146:80
60.93.23.51:80
24.232.228.233:80
190.251.216.100:80
105.209.235.113:8080
217.13.106.14:8080
190.64.88.186:443
118.38.110.192:80
111.67.12.221:8080
201.75.62.86:80
70.32.115.157:8080
188.135.15.49:80
Extracted
emotet
LEA
80.158.3.161:443
80.158.51.209:8080
80.158.35.51:80
80.158.63.78:443
80.158.53.167:80
80.158.62.194:443
80.158.59.174:8080
80.158.43.136:80
Targets
-
-
Target
2180_182_7373.doc
-
Size
202KB
-
MD5
6a7c63f7c62819d81c626e8b57c790ef
-
SHA1
64046c4dc460727d2ab4c465acb96f98087e6bf3
-
SHA256
15d50222b0ec97f27bb8af2e29f440d26210af10f413d690f447adbc84b25ad4
-
SHA512
1a9d0f3c8ef630287adc71b7c7b734bf5ad567b9b6800856ea13a39873a983d69dbe50e9478ff50a7285097d34c28dcf4c3184bdbc94b11bbcdcd124db9e2f58
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Loads dropped DLL
-
Drops file in System32 directory
-