cdce6995_64gpNakxxc

General
Target

cdce6995_64gpNakxxc

Size

177KB

Sample

210905-ftcseahhfk

Score
10 /10
MD5

cdce69955bfe5758e445e294c57257e6

SHA1

d754d49fc675361af50445e0110754c8821d5fd2

SHA256

d737e6973c1db753444e7bb9eacd01acd35b8fe2e88cc795f668ff59f0ce2027

SHA512

db78d544f5db3b003c5010bafc67b8967002d83d4b2dc0964e8aad03c03d345ad776d8a0575c0caf178593555fe94d4c25162327a42e52cf2f531913d803a618

Malware Config

Extracted

Language ps1
Source
URLs
exe.dropper

https://santyago.org/wp-content/0mcYS6/

exe.dropper

http://dandyair.com/font-awesome/rOOAL/

exe.dropper

https://www.tekadbatam.com/wp-content/AUiw/

exe.dropper

http://kellymorganscience.com/wp-content/SCsWM/

exe.dropper

https://tewoerd.eu/img/DALSKE/

exe.dropper

http://mediainmedia.com/plugin_opencart2.3-master/Atye/

exe.dropper

http://nuwagi.com/old/XLGjc/

Extracted

Family emotet
Botnet Epoch2
C2

71.72.196.159:80

134.209.36.254:8080

120.138.30.150:8080

94.23.216.33:80

157.245.99.39:8080

137.59.187.107:8080

94.23.237.171:443

61.19.246.238:443

156.155.166.221:80

50.35.17.13:80

153.137.36.142:80

91.211.88.52:7080

209.141.54.221:8080

185.94.252.104:443

174.45.13.118:80

87.106.136.232:8080

62.75.141.82:80

213.196.135.145:80

188.219.31.12:80

82.80.155.43:80

187.161.206.24:80

172.91.208.86:80

124.41.215.226:80

107.5.122.110:80

200.123.150.89:443

95.179.229.244:8080

83.169.36.251:8080

1.221.254.82:80

95.213.236.64:8080

181.169.34.190:80

47.144.21.12:443

203.153.216.189:7080

89.216.122.92:80

84.39.182.7:80

94.200.114.161:80

104.236.246.93:8080

139.99.158.11:443

176.111.60.55:8080

78.24.219.147:8080

220.245.198.194:80

62.30.7.67:443

139.162.108.71:8080

104.32.141.43:80

153.232.188.106:80

93.147.212.206:80

79.137.83.50:443

96.249.236.156:443

24.43.99.75:80

75.80.124.4:80

42.200.107.142:80

rsa_pubkey.plain
Targets
Target

cdce6995_64gpNakxxc

MD5

cdce69955bfe5758e445e294c57257e6

Filesize

177KB

Score
10/10
SHA1

d754d49fc675361af50445e0110754c8821d5fd2

SHA256

d737e6973c1db753444e7bb9eacd01acd35b8fe2e88cc795f668ff59f0ce2027

SHA512

db78d544f5db3b003c5010bafc67b8967002d83d4b2dc0964e8aad03c03d345ad776d8a0575c0caf178593555fe94d4c25162327a42e52cf2f531913d803a618

Tags

Signatures

  • Emotet

    Description

    Emotet is a trojan that is primarily spread through spam emails.

    Tags

  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • Emotet Payload

    Description

    Detects Emotet payload in memory.

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Drops file in System32 directory

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Tasks

                      static1

                      8/10

                      behavioral1

                      10/10

                      behavioral2

                      10/10