General

  • Target

    8a7c7754_OUZnG00tUJ

  • Size

    176KB

  • Sample

    210913-kwg75agdgp

  • MD5

    8a7c7754300dab0670eaf86357a5463d

  • SHA1

    6feb3edf05a2170772cdaef20d76b7e8e07c7b81

  • SHA256

    e9325a711e0f6f605b85898c5b507d4320e1f1dc672c68172b06cda359b5107e

  • SHA512

    3075f82c4530f5b9681c5b4979faf04fee0f82af288556c97b3e534abdac8290937af2f6e915f49625f9c0b4f6375b565eb9ef8aacb548ea0a29068ecad51eb2

Malware Config

Extracted

Language ps1
Source
URLs
exe.dropper

https://santyago.org/wp-content/0mcYS6/

exe.dropper

http://dandyair.com/font-awesome/rOOAL/

exe.dropper

https://www.tekadbatam.com/wp-content/AUiw/

exe.dropper

http://kellymorganscience.com/wp-content/SCsWM/

exe.dropper

https://tewoerd.eu/img/DALSKE/

exe.dropper

http://mediainmedia.com/plugin_opencart2.3-master/Atye/

exe.dropper

http://nuwagi.com/old/XLGjc/

Extracted

Family

emotet

Botnet

Epoch2

C2

71.72.196.159:80

134.209.36.254:8080

120.138.30.150:8080

94.23.216.33:80

157.245.99.39:8080

137.59.187.107:8080

94.23.237.171:443

61.19.246.238:443

156.155.166.221:80

50.35.17.13:80

153.137.36.142:80

91.211.88.52:7080

209.141.54.221:8080

185.94.252.104:443

174.45.13.118:80

87.106.136.232:8080

62.75.141.82:80

213.196.135.145:80

188.219.31.12:80

82.80.155.43:80

rsa_pubkey.plain

Targets

    • Target

      8a7c7754_OUZnG00tUJ

    • Size

      176KB

    • MD5

      8a7c7754300dab0670eaf86357a5463d

    • SHA1

      6feb3edf05a2170772cdaef20d76b7e8e07c7b81

    • SHA256

      e9325a711e0f6f605b85898c5b507d4320e1f1dc672c68172b06cda359b5107e

    • SHA512

      3075f82c4530f5b9681c5b4979faf04fee0f82af288556c97b3e534abdac8290937af2f6e915f49625f9c0b4f6375b565eb9ef8aacb548ea0a29068ecad51eb2

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Emotet Payload

      Detects Emotet payload in memory.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Drops file in System32 directory

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Persistence

                    Privilege Escalation