Overview

overview

10

Static

static

8

sample.doc

windows7_x64

10

sample.doc

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    007519ef44b82eb7cf8ca4396253d87824a21d4b0ed9bf46580505f382881c30

  • Size

    120KB

  • Sample

    220520-14rpjahgek

  • MD5

    7f1877e3be53aa38bb93c55a12175412

  • SHA1

    5f4161ed61c9429456aa39b5bfdbeaf4dba9cd60

  • SHA256

    007519ef44b82eb7cf8ca4396253d87824a21d4b0ed9bf46580505f382881c30

  • SHA512

    bf22f251a84dd3313b54db617925b42dcd55575e546b41ac3d1aff06c3d7de4f1c40ec8ece527e2babd11c5121d0f5dab3e4e240c6f0afa59747e5c1cb346410

Score
10/10
emotetepoch3bankermacrosuricatatrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://www.riserproperty.com/wp-content/SMXB/
exe.dropper

http://laurenebohn.com/bGOHy/8qa07472/
exe.dropper

http://lezliedavis.com/swift/5TQW6sf32736/
exe.dropper

http://cityplanter.co.uk/zy0b9r0s/lTZlc101auo37/
exe.dropper

http://farooquie.com/wp-admin/da52f6268411/
exe.dropper

https://onejmd.com/wp-content/xmO/
exe.dropper

https://s1.finmsb.com/uc_autoscripts/AcpPvTthOX/

Extracted

Family

emotet

Botnet

Epoch3

C2

190.136.179.102:80

97.107.135.148:8080

94.102.209.63:7080

162.144.42.60:8080

81.214.253.80:443

87.106.231.60:8080

107.161.30.122:8080

66.61.94.36:80

139.59.12.63:8080

203.153.216.178:7080

178.33.167.120:8080

179.62.238.49:80

50.116.78.109:8080

74.208.173.91:8080

113.161.148.81:80

179.5.118.12:80

202.5.47.71:80

91.83.93.103:443

181.113.229.139:443

41.185.29.128:8080
rsa_pubkey.plain

Targets

    • Target

      sample

    • Size

      230KB

    • MD5

      2ba199830e02f22bafd6e1b95c2a9edd

    • SHA1

      7fd3abfc5c2c2b75687ea26bca278c78cf4231b6

    • SHA256

      073c8de0d08dd3cf78888e683f471a0ab2c10cc4d082a67c3a3458d7d0d9e83d

    • SHA512

      77c129f355292492b9c546a8df9bc3a468356a66c96b448b14c3de708c70a4dc2812540971ad08e1bb9b9973eae5074756444e639d072bd8b80c1bc559cbdf38

    Score
    10/10
    emotetepoch3bankersuricatatrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M9

      suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M9

      suricata

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks