Overview

overview

10

Static

static

8

cdce6995_6...xc.doc

windows7_x64

10

cdce6995_6...xc.doc

windows10_x64

10

Resubmissions

13-09-2021 08:55

210913-kvka4agdgl 10

05-09-2021 05:09

210905-ftcseahhfk 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cdce6995_64gpNakxxc

  • Size

    177KB

  • Sample

    210905-ftcseahhfk

  • MD5

    cdce69955bfe5758e445e294c57257e6

  • SHA1

    d754d49fc675361af50445e0110754c8821d5fd2

  • SHA256

    d737e6973c1db753444e7bb9eacd01acd35b8fe2e88cc795f668ff59f0ce2027

  • SHA512

    db78d544f5db3b003c5010bafc67b8967002d83d4b2dc0964e8aad03c03d345ad776d8a0575c0caf178593555fe94d4c25162327a42e52cf2f531913d803a618

Score
10/10
emotetepoch2bankermacrotrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://santyago.org/wp-content/0mcYS6/
exe.dropper

http://dandyair.com/font-awesome/rOOAL/
exe.dropper

https://www.tekadbatam.com/wp-content/AUiw/
exe.dropper

http://kellymorganscience.com/wp-content/SCsWM/
exe.dropper

https://tewoerd.eu/img/DALSKE/
exe.dropper

http://mediainmedia.com/plugin_opencart2.3-master/Atye/
exe.dropper

http://nuwagi.com/old/XLGjc/

Extracted

Family

emotet

Botnet

Epoch2

C2

71.72.196.159:80

134.209.36.254:8080

120.138.30.150:8080

94.23.216.33:80

157.245.99.39:8080

137.59.187.107:8080

94.23.237.171:443

61.19.246.238:443

156.155.166.221:80

50.35.17.13:80

153.137.36.142:80

91.211.88.52:7080

209.141.54.221:8080

185.94.252.104:443

174.45.13.118:80

87.106.136.232:8080

62.75.141.82:80

213.196.135.145:80

188.219.31.12:80

82.80.155.43:80
rsa_pubkey.plain

Targets

    • Target

      cdce6995_64gpNakxxc

    • Size

      177KB

    • MD5

      cdce69955bfe5758e445e294c57257e6

    • SHA1

      d754d49fc675361af50445e0110754c8821d5fd2

    • SHA256

      d737e6973c1db753444e7bb9eacd01acd35b8fe2e88cc795f668ff59f0ce2027

    • SHA512

      db78d544f5db3b003c5010bafc67b8967002d83d4b2dc0964e8aad03c03d345ad776d8a0575c0caf178593555fe94d4c25162327a42e52cf2f531913d803a618

    Score
    10/10
    emotetepoch2bankertrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Emotet Payload

      Detects Emotet payload in memory.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks