Malware sandboxing report by Hatching Triage

General

Target

2180_182_7373.doc
Size

202KB
Sample

210309-3ftefp3g1a
MD5

6a7c63f7c62819d81c626e8b57c790ef
SHA1

64046c4dc460727d2ab4c465acb96f98087e6bf3
SHA256

15d50222b0ec97f27bb8af2e29f440d26210af10f413d690f447adbc84b25ad4
SHA512

1a9d0f3c8ef630287adc71b7c7b734bf5ad567b9b6800856ea13a39873a983d69dbe50e9478ff50a7285097d34c28dcf4c3184bdbc94b11bbcdcd124db9e2f58

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://zhongshixingchuang.com/wp-admin/OTm/

exe.dropper

http://www.greaudstudio.com/docs/FGn/

exe.dropper

http://koreankidsedu.com/wp-content/2cQTh/

exe.dropper

http://expeditionquest.com/X/

exe.dropper

https://suriagrofresh.com/serevers/MVDjI/

exe.dropper

http://geoffoglemusic.com/wp-admin/x/

exe.dropper

https://dagranitegiare.com/wp-admin/jCH/

Extracted

Family

emotet

Botnet

Epoch1

C2

184.66.18.83:80
202.187.222.40:80
167.71.148.58:443
211.215.18.93:8080
1.234.65.61:80
80.15.100.37:80
155.186.9.160:80
172.104.169.32:8080
110.39.162.2:443
12.162.84.2:8080
181.136.190.86:80
68.183.190.199:8080
191.223.36.170:80
190.45.24.210:80
81.213.175.132:80
181.120.29.49:80
82.76.111.249:443
177.23.7.151:80
95.76.153.115:80
93.148.247.169:80
51.255.165.160:8080
213.52.74.198:80
178.250.54.208:8080
202.134.4.210:7080
138.97.60.141:7080
94.176.234.118:443
190.24.243.186:80
46.43.2.95:8080
197.232.36.108:80
77.78.196.173:443
59.148.253.194:8080
212.71.237.140:8080
46.101.58.37:8080
110.39.160.38:443
83.169.21.32:7080
189.2.177.210:443
81.214.253.80:443
51.15.7.145:80
172.245.248.239:8080
177.85.167.10:80
178.211.45.66:8080
5.196.35.138:7080
71.58.233.254:80
168.121.4.238:80
149.202.72.142:7080
185.183.16.47:80
191.241.233.198:80
209.236.123.42:8080
190.114.254.163:8080
70.32.84.74:8080
138.97.60.140:8080
68.183.170.114:8080
192.232.229.53:4143
62.84.75.50:80
113.163.216.135:80
46.105.114.137:8080
177.144.130.105:8080
192.232.229.54:7080
192.175.111.212:7080
35.143.99.174:80
81.215.230.173:443
1.226.84.243:8080
187.162.248.237:80
152.169.22.67:80
137.74.106.111:7080
191.182.6.118:80
181.61.182.143:80
202.79.24.136:443
50.28.51.143:8080
85.214.26.7:8080
170.81.48.2:80
111.67.12.222:8080
177.144.130.105:443
188.225.32.231:7080
185.94.252.27:443
12.163.208.58:80
191.53.80.88:80
87.106.46.107:8080
122.201.23.45:443
181.30.61.163:443
104.131.41.185:8080
190.195.129.227:8090
45.184.103.73:80
186.146.13.184:443
45.16.226.117:443
187.162.250.23:443
2.80.112.146:80
60.93.23.51:80
24.232.228.233:80
190.251.216.100:80
105.209.235.113:8080
217.13.106.14:8080
190.64.88.186:443
118.38.110.192:80
111.67.12.221:8080
201.75.62.86:80
70.32.115.157:8080
188.135.15.49:80

184.66.18.83:80

202.187.222.40:80

167.71.148.58:443

211.215.18.93:8080

1.234.65.61:80

80.15.100.37:80

155.186.9.160:80

172.104.169.32:8080

110.39.162.2:443

12.162.84.2:8080

181.136.190.86:80

68.183.190.199:8080

191.223.36.170:80

190.45.24.210:80

81.213.175.132:80

181.120.29.49:80

82.76.111.249:443

177.23.7.151:80

95.76.153.115:80

93.148.247.169:80

rsa_pubkey.plain

Extracted

Family

emotet

Botnet

LEA

C2

80.158.3.161:443

80.158.51.209:8080

80.158.35.51:80

80.158.63.78:443

80.158.53.167:80

80.158.62.194:443

80.158.59.174:8080

80.158.43.136:80

rsa_pubkey.plain

Targets

- Target
  
  2180_182_7373.doc
- Size
  
  202KB
- MD5
  
  6a7c63f7c62819d81c626e8b57c790ef
- SHA1
  
  64046c4dc460727d2ab4c465acb96f98087e6bf3
- SHA256
  
  15d50222b0ec97f27bb8af2e29f440d26210af10f413d690f447adbc84b25ad4
- SHA512
  
  1a9d0f3c8ef630287adc71b7c7b734bf5ad567b9b6800856ea13a39873a983d69dbe50e9478ff50a7285097d34c28dcf4c3184bdbc94b11bbcdcd124db9e2f58
Score

10^/10

emotet epoch1 banker trojan lea
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Emotet

Process spawned unexpected child process

Blocklisted process makes network request

Loads dropped DLL

Drops file in System32 directory

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2