Overview

overview

10

Static

static

8

sample.doc

windows7_x64

10

sample.doc

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8057d06f05ff824df6c7982078109f5a311aca6262153271ff4f5b84f8c42dc6

  • Size

    120KB

  • Sample

    220520-1f4deshafp

  • MD5

    2c30d33eca5ffc6c6d351851986ebb33

  • SHA1

    403a2e53f3cb9dca3dec55147d971689b5aa52b0

  • SHA256

    8057d06f05ff824df6c7982078109f5a311aca6262153271ff4f5b84f8c42dc6

  • SHA512

    1bad73b6c71967f97c0c53ed9c1162d9a525e7da07af483a1487fc88efa5b2e0fdafe87761cb62f8b6ec8af29bde2a03ddb82679940cd078146b2ccb8cb0dfda

Score
10/10
emotetepoch3bankermacrosuricatatrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://www.riserproperty.com/wp-content/SMXB/
exe.dropper

http://laurenebohn.com/bGOHy/8qa07472/
exe.dropper

http://lezliedavis.com/swift/5TQW6sf32736/
exe.dropper

http://cityplanter.co.uk/zy0b9r0s/lTZlc101auo37/
exe.dropper

http://farooquie.com/wp-admin/da52f6268411/
exe.dropper

https://onejmd.com/wp-content/xmO/
exe.dropper

https://s1.finmsb.com/uc_autoscripts/AcpPvTthOX/

Extracted

Family

emotet

Botnet

Epoch3

C2

190.136.179.102:80

97.107.135.148:8080

94.102.209.63:7080

162.144.42.60:8080

81.214.253.80:443

87.106.231.60:8080

107.161.30.122:8080

66.61.94.36:80

139.59.12.63:8080

203.153.216.178:7080

178.33.167.120:8080

179.62.238.49:80

50.116.78.109:8080

74.208.173.91:8080

113.161.148.81:80

179.5.118.12:80

202.5.47.71:80

91.83.93.103:443

181.113.229.139:443

41.185.29.128:8080
rsa_pubkey.plain

Targets

    • Target

      sample

    • Size

      229KB

    • MD5

      f511d47d090a995952f146c65fb54584

    • SHA1

      30b845ed1fa6276323541f7a8918bc0f30c2b819

    • SHA256

      50437050143a90f69082fa8484843932f19cd04cb0c87d80d73447381136b5d7

    • SHA512

      949020c48459a0fe2132b6615b5cf7d200d798713a78df4f4c6142922e235ed5e378e61d00427dd33621e528502421d22d4188cd87c8388127352602b0048076

    Score
    10/10
    emotetepoch3bankersuricatatrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M9

      suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M9

      suricata

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks