cdce6995_64gpNakxxc

Target

cdce6995_64gpNakxxc

Size

177KB

Sample

210905-ftcseahhfk

Score

10 ^/10

MD5

cdce69955bfe5758e445e294c57257e6

SHA1

d754d49fc675361af50445e0110754c8821d5fd2

SHA256

d737e6973c1db753444e7bb9eacd01acd35b8fe2e88cc795f668ff59f0ce2027

SHA512

db78d544f5db3b003c5010bafc67b8967002d83d4b2dc0964e8aad03c03d345ad776d8a0575c0caf178593555fe94d4c25162327a42e52cf2f531913d803a618

Extracted

Language	ps1
Source
URLs	https://santyago.org/wp-content/0mcYS6/ http://dandyair.com/font-awesome/rOOAL/ https://www.tekadbatam.com/wp-content/AUiw/ http://kellymorganscience.com/wp-content/SCsWM/ https://tewoerd.eu/img/DALSKE/ http://mediainmedia.com/plugin_opencart2.3-master/Atye/ http://nuwagi.com/old/XLGjc/ exe.dropper https://santyago.org/wp-content/0mcYS6/ exe.dropper http://dandyair.com/font-awesome/rOOAL/ exe.dropper https://www.tekadbatam.com/wp-content/AUiw/ exe.dropper http://kellymorganscience.com/wp-content/SCsWM/ exe.dropper https://tewoerd.eu/img/DALSKE/ exe.dropper http://mediainmedia.com/plugin_opencart2.3-master/Atye/ exe.dropper http://nuwagi.com/old/XLGjc/

Extracted

Family	emotet
Botnet	Epoch2
C2	71.72.196.159:80 134.209.36.254:8080 120.138.30.150:8080 94.23.216.33:80 157.245.99.39:8080 137.59.187.107:8080 94.23.237.171:443 61.19.246.238:443 156.155.166.221:80 50.35.17.13:80 153.137.36.142:80 91.211.88.52:7080 209.141.54.221:8080 185.94.252.104:443 174.45.13.118:80 87.106.136.232:8080 62.75.141.82:80 213.196.135.145:80 188.219.31.12:80 82.80.155.43:80 187.161.206.24:80 172.91.208.86:80 124.41.215.226:80 107.5.122.110:80 200.123.150.89:443 95.179.229.244:8080 83.169.36.251:8080 1.221.254.82:80 95.213.236.64:8080 181.169.34.190:80 47.144.21.12:443 203.153.216.189:7080 89.216.122.92:80 84.39.182.7:80 94.200.114.161:80 104.236.246.93:8080 139.99.158.11:443 176.111.60.55:8080 78.24.219.147:8080 220.245.198.194:80 62.30.7.67:443 139.162.108.71:8080 104.32.141.43:80 153.232.188.106:80 93.147.212.206:80 79.137.83.50:443 96.249.236.156:443 24.43.99.75:80 75.80.124.4:80 42.200.107.142:80 110.5.16.198:80 5.196.74.210:8080 110.145.77.103:80 200.114.213.233:8080 85.152.162.105:80 5.39.91.110:7080 109.74.5.95:8080 140.186.212.146:80 37.187.72.193:8080 97.82.79.83:80 139.130.242.43:80 201.173.217.124:443 123.176.25.234:80 104.131.44.150:8080 74.208.45.104:8080 139.59.60.244:8080 120.150.60.189:80 74.219.172.26:80 219.75.128.166:80 82.225.49.121:80 85.105.205.77:8080 24.179.13.119:80 74.120.55.163:80 174.102.48.180:443 219.74.18.66:443 168.235.67.138:7080 194.187.133.160:443 78.187.156.31:80 103.86.49.11:8080 61.92.17.12:80 24.137.76.62:80 104.131.11.150:443 79.98.24.39:8080 75.139.38.211:80 162.241.242.173:8080 195.251.213.56:80 37.139.21.175:8080 46.105.131.79:8080 50.91.114.38:80 121.124.124.40:7080 74.134.41.124:80 68.188.112.97:80 137.119.36.33:80 121.7.127.163:80 87.106.139.101:8080 94.1.108.190:443 169.239.182.217:8080 71.72.196.159:80 134.209.36.254:8080 120.138.30.150:8080 94.23.216.33:80 157.245.99.39:8080 137.59.187.107:8080 94.23.237.171:443 61.19.246.238:443 156.155.166.221:80 50.35.17.13:80 153.137.36.142:80 91.211.88.52:7080 209.141.54.221:8080 185.94.252.104:443 174.45.13.118:80 87.106.136.232:8080 62.75.141.82:80 213.196.135.145:80 188.219.31.12:80 82.80.155.43:80 187.161.206.24:80 172.91.208.86:80 124.41.215.226:80 107.5.122.110:80 200.123.150.89:443 95.179.229.244:8080 83.169.36.251:8080 1.221.254.82:80 95.213.236.64:8080 181.169.34.190:80 47.144.21.12:443 203.153.216.189:7080 89.216.122.92:80 84.39.182.7:80 94.200.114.161:80 104.236.246.93:8080 139.99.158.11:443 176.111.60.55:8080 78.24.219.147:8080 220.245.198.194:80 62.30.7.67:443 139.162.108.71:8080 104.32.141.43:80 153.232.188.106:80 93.147.212.206:80 79.137.83.50:443 96.249.236.156:443 24.43.99.75:80 75.80.124.4:80 42.200.107.142:80 110.5.16.198:80 5.196.74.210:8080 110.145.77.103:80 200.114.213.233:8080 85.152.162.105:80 5.39.91.110:7080 109.74.5.95:8080 140.186.212.146:80 37.187.72.193:8080 97.82.79.83:80 139.130.242.43:80 201.173.217.124:443 123.176.25.234:80 104.131.44.150:8080 74.208.45.104:8080 139.59.60.244:8080 120.150.60.189:80 74.219.172.26:80 219.75.128.166:80 82.225.49.121:80 85.105.205.77:8080 24.179.13.119:80 74.120.55.163:80 174.102.48.180:443 219.74.18.66:443 168.235.67.138:7080 194.187.133.160:443 78.187.156.31:80 103.86.49.11:8080 61.92.17.12:80 24.137.76.62:80 104.131.11.150:443 79.98.24.39:8080 75.139.38.211:80 162.241.242.173:8080 195.251.213.56:80 37.139.21.175:8080 46.105.131.79:8080 50.91.114.38:80 121.124.124.40:7080 74.134.41.124:80 68.188.112.97:80 137.119.36.33:80 121.7.127.163:80 87.106.139.101:8080 94.1.108.190:443 169.239.182.217:8080
rsa_pubkey.plain

Target

cdce6995_64gpNakxxc

MD5

cdce69955bfe5758e445e294c57257e6

Filesize

177KB

Score

10^/10

SHA1

d754d49fc675361af50445e0110754c8821d5fd2

SHA256

d737e6973c1db753444e7bb9eacd01acd35b8fe2e88cc795f668ff59f0ce2027

SHA512

db78d544f5db3b003c5010bafc67b8967002d83d4b2dc0964e8aad03c03d345ad776d8a0575c0caf178593555fe94d4c25162327a42e52cf2f531913d803a618

Signatures

Emotet
Description

Emotet is a trojan that is primarily spread through spam emails.
Tags

trojan banker emotet
Process spawned unexpected child process
Description

This typically indicates the parent process was compromised via an exploit or macro.
Emotet Payload
Description

Detects Emotet payload in memory.
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Drops file in System32 directory

Related Tasks

behavioral1 behavioral2

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

static1

macro

8^/10

behavioral1

10^/10

behavioral2

emotet epoch2 banker trojan

10^/10

Extracted

Extracted

Tags

Signatures

Emotet

Description

Tags

Process spawned unexpected child process

Description

Emotet Payload

Description

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Drops file in System32 directory

Related Tasks

static1

behavioral1

behavioral2