8a7c7754_OUZnG00tUJ

General
Target

8a7c7754_OUZnG00tUJ

Size

176KB

Sample

210913-kwg75agdgp

Score
10 /10
MD5

8a7c7754300dab0670eaf86357a5463d

SHA1

6feb3edf05a2170772cdaef20d76b7e8e07c7b81

SHA256

e9325a711e0f6f605b85898c5b507d4320e1f1dc672c68172b06cda359b5107e

SHA512

3075f82c4530f5b9681c5b4979faf04fee0f82af288556c97b3e534abdac8290937af2f6e915f49625f9c0b4f6375b565eb9ef8aacb548ea0a29068ecad51eb2

Malware Config

Extracted

Language ps1
Source
URLs
exe.dropper

https://santyago.org/wp-content/0mcYS6/

exe.dropper

http://dandyair.com/font-awesome/rOOAL/

exe.dropper

https://www.tekadbatam.com/wp-content/AUiw/

exe.dropper

http://kellymorganscience.com/wp-content/SCsWM/

exe.dropper

https://tewoerd.eu/img/DALSKE/

exe.dropper

http://mediainmedia.com/plugin_opencart2.3-master/Atye/

exe.dropper

http://nuwagi.com/old/XLGjc/

Extracted

Family emotet
Botnet Epoch2
C2

71.72.196.159:80

134.209.36.254:8080

120.138.30.150:8080

94.23.216.33:80

157.245.99.39:8080

137.59.187.107:8080

94.23.237.171:443

61.19.246.238:443

156.155.166.221:80

50.35.17.13:80

153.137.36.142:80

91.211.88.52:7080

209.141.54.221:8080

185.94.252.104:443

174.45.13.118:80

87.106.136.232:8080

62.75.141.82:80

213.196.135.145:80

188.219.31.12:80

82.80.155.43:80

187.161.206.24:80

172.91.208.86:80

124.41.215.226:80

107.5.122.110:80

200.123.150.89:443

95.179.229.244:8080

83.169.36.251:8080

1.221.254.82:80

95.213.236.64:8080

181.169.34.190:80

47.144.21.12:443

203.153.216.189:7080

89.216.122.92:80

84.39.182.7:80

94.200.114.161:80

104.236.246.93:8080

139.99.158.11:443

176.111.60.55:8080

78.24.219.147:8080

220.245.198.194:80

62.30.7.67:443

139.162.108.71:8080

104.32.141.43:80

153.232.188.106:80

93.147.212.206:80

79.137.83.50:443

96.249.236.156:443

24.43.99.75:80

75.80.124.4:80

42.200.107.142:80

rsa_pubkey.plain
Targets
Target

8a7c7754_OUZnG00tUJ

MD5

8a7c7754300dab0670eaf86357a5463d

Filesize

176KB

Score
10/10
SHA1

6feb3edf05a2170772cdaef20d76b7e8e07c7b81

SHA256

e9325a711e0f6f605b85898c5b507d4320e1f1dc672c68172b06cda359b5107e

SHA512

3075f82c4530f5b9681c5b4979faf04fee0f82af288556c97b3e534abdac8290937af2f6e915f49625f9c0b4f6375b565eb9ef8aacb548ea0a29068ecad51eb2

Tags

Signatures

  • Emotet

    Description

    Emotet is a trojan that is primarily spread through spam emails.

    Tags

  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • Emotet Payload

    Description

    Detects Emotet payload in memory.

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Drops file in System32 directory

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Tasks

                      static1

                      8/10

                      behavioral1

                      10/10

                      behavioral2

                      10/10