Overview

overview

10

Static

static

8

2180_182_7373.doc

windows7_x64

10

2180_182_7373.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2180_182_7373.doc

  • Size

    202KB

  • Sample

    210309-3ftefp3g1a

  • MD5

    6a7c63f7c62819d81c626e8b57c790ef

  • SHA1

    64046c4dc460727d2ab4c465acb96f98087e6bf3

  • SHA256

    15d50222b0ec97f27bb8af2e29f440d26210af10f413d690f447adbc84b25ad4

  • SHA512

    1a9d0f3c8ef630287adc71b7c7b734bf5ad567b9b6800856ea13a39873a983d69dbe50e9478ff50a7285097d34c28dcf4c3184bdbc94b11bbcdcd124db9e2f58

Score
10/10
emotetepoch1leabankermacrotrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://zhongshixingchuang.com/wp-admin/OTm/
exe.dropper

http://www.greaudstudio.com/docs/FGn/
exe.dropper

http://koreankidsedu.com/wp-content/2cQTh/
exe.dropper

http://expeditionquest.com/X/
exe.dropper

https://suriagrofresh.com/serevers/MVDjI/
exe.dropper

http://geoffoglemusic.com/wp-admin/x/
exe.dropper

https://dagranitegiare.com/wp-admin/jCH/

Extracted

Family

emotet

Botnet

Epoch1

C2

184.66.18.83:80

202.187.222.40:80

167.71.148.58:443

211.215.18.93:8080

1.234.65.61:80

80.15.100.37:80

155.186.9.160:80

172.104.169.32:8080

110.39.162.2:443

12.162.84.2:8080

181.136.190.86:80

68.183.190.199:8080

191.223.36.170:80

190.45.24.210:80

81.213.175.132:80

181.120.29.49:80

82.76.111.249:443

177.23.7.151:80

95.76.153.115:80

93.148.247.169:80

rsa_pubkey.plain

Extracted

Family

emotet

Botnet

LEA

C2

80.158.3.161:443

80.158.51.209:8080

80.158.35.51:80

80.158.63.78:443

80.158.53.167:80

80.158.62.194:443

80.158.59.174:8080

80.158.43.136:80

rsa_pubkey.plain

Targets

    • Target

      2180_182_7373.doc

    • Size

      202KB

    • MD5

      6a7c63f7c62819d81c626e8b57c790ef

    • SHA1

      64046c4dc460727d2ab4c465acb96f98087e6bf3

    • SHA256

      15d50222b0ec97f27bb8af2e29f440d26210af10f413d690f447adbc84b25ad4

    • SHA512

      1a9d0f3c8ef630287adc71b7c7b734bf5ad567b9b6800856ea13a39873a983d69dbe50e9478ff50a7285097d34c28dcf4c3184bdbc94b11bbcdcd124db9e2f58

    Score
    10/10
    emotetepoch1bankertrojanlea

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks