Malware sandboxing report by Hatching Triage

General

Target

8a7c7754_OUZnG00tUJ
Size

176KB
Sample

210913-kwg75agdgp
MD5

8a7c7754300dab0670eaf86357a5463d
SHA1

6feb3edf05a2170772cdaef20d76b7e8e07c7b81
SHA256

e9325a711e0f6f605b85898c5b507d4320e1f1dc672c68172b06cda359b5107e
SHA512

3075f82c4530f5b9681c5b4979faf04fee0f82af288556c97b3e534abdac8290937af2f6e915f49625f9c0b4f6375b565eb9ef8aacb548ea0a29068ecad51eb2

Score

10^/10

Malware Config

Extracted

Language	ps1
Source
URLs	https://santyago.org/wp-content/0mcYS6/ http://dandyair.com/font-awesome/rOOAL/ https://www.tekadbatam.com/wp-content/AUiw/ http://kellymorganscience.com/wp-content/SCsWM/ https://tewoerd.eu/img/DALSKE/ http://mediainmedia.com/plugin_opencart2.3-master/Atye/ http://nuwagi.com/old/XLGjc/ exe.dropper https://santyago.org/wp-content/0mcYS6/ exe.dropper http://dandyair.com/font-awesome/rOOAL/ exe.dropper https://www.tekadbatam.com/wp-content/AUiw/ exe.dropper http://kellymorganscience.com/wp-content/SCsWM/ exe.dropper https://tewoerd.eu/img/DALSKE/ exe.dropper http://mediainmedia.com/plugin_opencart2.3-master/Atye/ exe.dropper http://nuwagi.com/old/XLGjc/

Extracted

Family	emotet
Botnet	Epoch2
C2	71.72.196.159:80 134.209.36.254:8080 120.138.30.150:8080 94.23.216.33:80 157.245.99.39:8080 137.59.187.107:8080 94.23.237.171:443 61.19.246.238:443 156.155.166.221:80 50.35.17.13:80 153.137.36.142:80 91.211.88.52:7080 209.141.54.221:8080 185.94.252.104:443 174.45.13.118:80 87.106.136.232:8080 62.75.141.82:80 213.196.135.145:80 188.219.31.12:80 82.80.155.43:80 187.161.206.24:80 172.91.208.86:80 124.41.215.226:80 107.5.122.110:80 200.123.150.89:443 95.179.229.244:8080 83.169.36.251:8080 1.221.254.82:80 95.213.236.64:8080 181.169.34.190:80 47.144.21.12:443 203.153.216.189:7080 89.216.122.92:80 84.39.182.7:80 94.200.114.161:80 104.236.246.93:8080 139.99.158.11:443 176.111.60.55:8080 78.24.219.147:8080 220.245.198.194:80 62.30.7.67:443 139.162.108.71:8080 104.32.141.43:80 153.232.188.106:80 93.147.212.206:80 79.137.83.50:443 96.249.236.156:443 24.43.99.75:80 75.80.124.4:80 42.200.107.142:80 110.5.16.198:80 5.196.74.210:8080 110.145.77.103:80 200.114.213.233:8080 85.152.162.105:80 5.39.91.110:7080 109.74.5.95:8080 140.186.212.146:80 37.187.72.193:8080 97.82.79.83:80 139.130.242.43:80 201.173.217.124:443 123.176.25.234:80 104.131.44.150:8080 74.208.45.104:8080 139.59.60.244:8080 120.150.60.189:80 74.219.172.26:80 219.75.128.166:80 82.225.49.121:80 85.105.205.77:8080 24.179.13.119:80 74.120.55.163:80 174.102.48.180:443 219.74.18.66:443 168.235.67.138:7080 194.187.133.160:443 78.187.156.31:80 103.86.49.11:8080 61.92.17.12:80 24.137.76.62:80 104.131.11.150:443 79.98.24.39:8080 75.139.38.211:80 162.241.242.173:8080 195.251.213.56:80 37.139.21.175:8080 46.105.131.79:8080 50.91.114.38:80 121.124.124.40:7080 74.134.41.124:80 68.188.112.97:80 137.119.36.33:80 121.7.127.163:80 87.106.139.101:8080 94.1.108.190:443 169.239.182.217:8080 71.72.196.159:80 134.209.36.254:8080 120.138.30.150:8080 94.23.216.33:80 157.245.99.39:8080 137.59.187.107:8080 94.23.237.171:443 61.19.246.238:443 156.155.166.221:80 50.35.17.13:80 153.137.36.142:80 91.211.88.52:7080 209.141.54.221:8080 185.94.252.104:443 174.45.13.118:80 87.106.136.232:8080 62.75.141.82:80 213.196.135.145:80 188.219.31.12:80 82.80.155.43:80 187.161.206.24:80 172.91.208.86:80 124.41.215.226:80 107.5.122.110:80 200.123.150.89:443 95.179.229.244:8080 83.169.36.251:8080 1.221.254.82:80 95.213.236.64:8080 181.169.34.190:80 47.144.21.12:443 203.153.216.189:7080 89.216.122.92:80 84.39.182.7:80 94.200.114.161:80 104.236.246.93:8080 139.99.158.11:443 176.111.60.55:8080 78.24.219.147:8080 220.245.198.194:80 62.30.7.67:443 139.162.108.71:8080 104.32.141.43:80 153.232.188.106:80 93.147.212.206:80 79.137.83.50:443 96.249.236.156:443 24.43.99.75:80 75.80.124.4:80 42.200.107.142:80 110.5.16.198:80 5.196.74.210:8080 110.145.77.103:80 200.114.213.233:8080 85.152.162.105:80 5.39.91.110:7080 109.74.5.95:8080 140.186.212.146:80 37.187.72.193:8080 97.82.79.83:80 139.130.242.43:80 201.173.217.124:443 123.176.25.234:80 104.131.44.150:8080 74.208.45.104:8080 139.59.60.244:8080 120.150.60.189:80 74.219.172.26:80 219.75.128.166:80 82.225.49.121:80 85.105.205.77:8080 24.179.13.119:80 74.120.55.163:80 174.102.48.180:443 219.74.18.66:443 168.235.67.138:7080 194.187.133.160:443 78.187.156.31:80 103.86.49.11:8080 61.92.17.12:80 24.137.76.62:80 104.131.11.150:443 79.98.24.39:8080 75.139.38.211:80 162.241.242.173:8080 195.251.213.56:80 37.139.21.175:8080 46.105.131.79:8080 50.91.114.38:80 121.124.124.40:7080 74.134.41.124:80 68.188.112.97:80 137.119.36.33:80 121.7.127.163:80 87.106.139.101:8080 94.1.108.190:443 169.239.182.217:8080
rsa_pubkey.plain

Targets

- Target
  
  8a7c7754_OUZnG00tUJ
- Size
  
  176KB
- MD5
  
  8a7c7754300dab0670eaf86357a5463d
- SHA1
  
  6feb3edf05a2170772cdaef20d76b7e8e07c7b81
- SHA256
  
  e9325a711e0f6f605b85898c5b507d4320e1f1dc672c68172b06cda359b5107e
- SHA512
  
  3075f82c4530f5b9681c5b4979faf04fee0f82af288556c97b3e534abdac8290937af2f6e915f49625f9c0b4f6375b565eb9ef8aacb548ea0a29068ecad51eb2
Score

10^/10

emotet epoch2 banker trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Emotet Payload
  Detects Emotet payload in memory.
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Targets

Emotet

Process spawned unexpected child process

Emotet Payload

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Drops file in System32 directory

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2