Overview

overview

10

Static

static

8

emotet_v6

windows10_x64

10

emotet_doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7bc5e83a8527487d0defeb918eb9057463c50d1f1aa3ba60e507fc9b41d8c07c

  • Size

    37KB

  • Sample

    211204-eh2fysabhp

  • MD5

    f649face8ed4e2cae03b07b852cfc9e6

  • SHA1

    6e922adfedd533fd60e95f575eb59e4e7ae3a887

  • SHA256

    7bc5e83a8527487d0defeb918eb9057463c50d1f1aa3ba60e507fc9b41d8c07c

  • SHA512

    e3770c587c3169d8b7c8363fb6e1bca1ae10ae6036783a538778585c028efb7c0dc0662935469c984075a881487451ab100486f39a1488daf71b613af97a06ac

Score
10/10
emotetepoch4bankermacrosuricatatrojanxlm

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://inorte.com.br/awkl2/NFkGvrZkoh7TdwolFM/
xlm40.dropper

http://otoway.com/5/h2syajK78/
xlm40.dropper

http://xhamster-deutsch.biz/wp-content/cache/m1G6/

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://inorte.com.br/awkl2/NFkGvrZkoh7TdwolFM/

Extracted

Family

emotet

Botnet

Epoch4

C2

172.104.227.98:443

31.207.89.74:8080

46.55.222.11:443

41.76.108.46:8080

103.8.26.103:8080

185.184.25.237:8080

103.8.26.102:8080

203.114.109.124:443

45.118.115.99:8080

178.79.147.66:8080

58.227.42.236:80

45.118.135.203:7080

103.75.201.2:443

195.154.133.20:443

192.254.71.210:443

45.142.114.231:8080

212.237.5.209:443

207.38.84.195:8080

104.251.214.46:8080

212.237.17.99:8080
eck1.plain
ecs1.plain

Targets

    • Target

      7bc5e83a8527487d0defeb918eb9057463c50d1f1aa3ba60e507fc9b41d8c07c

    • Size

      37KB

    • MD5

      f649face8ed4e2cae03b07b852cfc9e6

    • SHA1

      6e922adfedd533fd60e95f575eb59e4e7ae3a887

    • SHA256

      7bc5e83a8527487d0defeb918eb9057463c50d1f1aa3ba60e507fc9b41d8c07c

    • SHA512

      e3770c587c3169d8b7c8363fb6e1bca1ae10ae6036783a538778585c028efb7c0dc0662935469c984075a881487451ab100486f39a1488daf71b613af97a06ac

    Score
    10/10
    emotetepoch4bankersuricatatrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)

      suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)

      suricata

    • suricata: ET MALWARE W32/Emotet CnC Beacon 3

      suricata: ET MALWARE W32/Emotet CnC Beacon 3

      suricata

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks