Overview

overview

10

Static

static

8

sample.doc

windows7_x64

10

sample.doc

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    995b0366f1af39913abd334fd84c7b3ab3eb4a2367ef31cb568bc28f07dd4da6

  • Size

    120KB

  • Sample

    220520-1b1fzaghdj

  • MD5

    2618712fe98fde7eba4fd8b29420187f

  • SHA1

    65c8d321c30ef67241a482addacb06f556c77697

  • SHA256

    995b0366f1af39913abd334fd84c7b3ab3eb4a2367ef31cb568bc28f07dd4da6

  • SHA512

    6b3a8335ce032e71d56e9e74e03391d17492a2625ee1be392da505df898f585aa549ec544b1f05f4c45d82ad5842e6edfa33da2eb52d79c5ce1db31895fd2c9b

Score
10/10
emotetepoch3bankermacrosuricatatrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://www.riserproperty.com/wp-content/SMXB/
exe.dropper

http://laurenebohn.com/bGOHy/8qa07472/
exe.dropper

http://lezliedavis.com/swift/5TQW6sf32736/
exe.dropper

http://cityplanter.co.uk/zy0b9r0s/lTZlc101auo37/
exe.dropper

http://farooquie.com/wp-admin/da52f6268411/
exe.dropper

https://onejmd.com/wp-content/xmO/
exe.dropper

https://s1.finmsb.com/uc_autoscripts/AcpPvTthOX/

Extracted

Family

emotet

Botnet

Epoch3

C2

190.136.179.102:80

97.107.135.148:8080

94.102.209.63:7080

162.144.42.60:8080

81.214.253.80:443

87.106.231.60:8080

107.161.30.122:8080

66.61.94.36:80

139.59.12.63:8080

203.153.216.178:7080

178.33.167.120:8080

179.62.238.49:80

50.116.78.109:8080

74.208.173.91:8080

113.161.148.81:80

179.5.118.12:80

202.5.47.71:80

91.83.93.103:443

181.113.229.139:443

41.185.29.128:8080
rsa_pubkey.plain

Targets

    • Target

      sample

    • Size

      229KB

    • MD5

      c890c90cd1daa9f30a77a791945e812c

    • SHA1

      707f2c30ddd2f4196b67854fb3e621ed6ee3985e

    • SHA256

      8d1ed93b4b818cdc5fa85348c03845e9dd6a15c09ba7b89d5430512b44cf58ad

    • SHA512

      c500e2223b8a95eff88d3a2f3bb7ca3648be6a2a90ddaaf4b1f0ec08a079444fc861666819f08350366712010b55499d4a7050e5c230f8bb7ff7c7bed4f51ee6

    Score
    10/10
    emotetepoch3bankersuricatatrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M9

      suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M9

      suricata

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks