emotet

General

Target

2022-1-28-a43f25c31c035e3914ec0034f5c9fb07.bin
Size

46KB
Sample

220128-dycbbsehgk
MD5

a43f25c31c035e3914ec0034f5c9fb07
SHA1

2d691e4ca3a1dce9db2d997554aadc7f8320c944
SHA256

79d708ce28a18ccaeffa88968dbebb4f5bdbde87f7bf9f5f2237b42db2bbac10
SHA512

32025211fc94f108cd512b585849df104a6523d1bd1a16cad95b18748126528c39f8c42dd9c2bf36875c5310fb2dd6802189c34839cb4b96664735244442e07e

Score

10^/10

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://91.240.118.168/vvv/ppp/fe.html

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://91.240.118.168/vvv/ppp/fe.png

Extracted

Family

emotet

Botnet

Epoch4

C2

51.15.4.22:443

173.214.173.220:8080

212.237.5.209:443

192.254.71.210:443

216.158.226.206:443

162.243.175.63:443

212.24.98.99:8080

58.227.42.236:80

45.118.115.99:8080

104.251.214.46:8080

185.157.82.209:8080

46.55.222.11:443

188.40.137.206:8080

81.0.236.90:443

103.75.201.2:443

129.232.188.93:443

195.154.133.20:443

159.8.59.82:8080

79.172.212.216:8080

138.185.72.26:8080

eck1.plain

ecs1.plain

Targets

- Target
  
  2022-1-28-a43f25c31c035e3914ec0034f5c9fb07.bin
- Size
  
  46KB
- MD5
  
  a43f25c31c035e3914ec0034f5c9fb07
- SHA1
  
  2d691e4ca3a1dce9db2d997554aadc7f8320c944
- SHA256
  
  79d708ce28a18ccaeffa88968dbebb4f5bdbde87f7bf9f5f2237b42db2bbac10
- SHA512
  
  32025211fc94f108cd512b585849df104a6523d1bd1a16cad95b18748126528c39f8c42dd9c2bf36875c5310fb2dd6802189c34839cb4b96664735244442e07e
Score

10^/10

emotet epoch4 banker suricata trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- suricata: ET MALWARE W32/Emotet CnC Beacon 3
  suricata: ET MALWARE W32/Emotet CnC Beacon 3
  suricata
- Blocklisted process makes network request
- Downloads MZ/PE file
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Process spawned unexpected child process

suricata: ET MALWARE W32/Emotet CnC Beacon 3

Blocklisted process makes network request

Downloads MZ/PE file

Loads dropped DLL

Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2