Overview

overview

10

Static

static

8

sample.doc

windows7_x64

10

sample.doc

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6d44840efcc4d9fa8736ec9788480a8c09447fb530e4853c256cc7bcbb6f0624

  • Size

    120KB

  • Sample

    220520-1j5ewseaa8

  • MD5

    5323baf3bc82148cd3610d1dd500bb1b

  • SHA1

    e1fa36fc28daf9c7783104cf329d0bf1e88112b6

  • SHA256

    6d44840efcc4d9fa8736ec9788480a8c09447fb530e4853c256cc7bcbb6f0624

  • SHA512

    d801d76b371fbe4e4eb44137f4fc571ead743a1973dcce28d1dfb649fcca3051a9a5af3b4ba267f24be81a99c6a5b0695c09614ab14f22277e796bc757443f2f

Score
10/10
emotetepoch3bankermacrosuricatatrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://www.riserproperty.com/wp-content/SMXB/
exe.dropper

http://laurenebohn.com/bGOHy/8qa07472/
exe.dropper

http://lezliedavis.com/swift/5TQW6sf32736/
exe.dropper

http://cityplanter.co.uk/zy0b9r0s/lTZlc101auo37/
exe.dropper

http://farooquie.com/wp-admin/da52f6268411/
exe.dropper

https://onejmd.com/wp-content/xmO/
exe.dropper

https://s1.finmsb.com/uc_autoscripts/AcpPvTthOX/

Extracted

Family

emotet

Botnet

Epoch3

C2

190.136.179.102:80

97.107.135.148:8080

94.102.209.63:7080

162.144.42.60:8080

81.214.253.80:443

87.106.231.60:8080

107.161.30.122:8080

66.61.94.36:80

139.59.12.63:8080

203.153.216.178:7080

178.33.167.120:8080

179.62.238.49:80

50.116.78.109:8080

74.208.173.91:8080

113.161.148.81:80

179.5.118.12:80

202.5.47.71:80

91.83.93.103:443

181.113.229.139:443

41.185.29.128:8080
rsa_pubkey.plain

Targets

    • Target

      sample

    • Size

      229KB

    • MD5

      75372ebbce844acd3de2d5f72c957b98

    • SHA1

      198be70841575e36272f89c10c446cdd1b509daa

    • SHA256

      1f3f1480617ee290c47e31123b1af5d4f389edfc249690a73821f1f135d0441e

    • SHA512

      ccef9bb769622e5d64a6cd66d05fe91859e63273ac93ce476001a55789766858bd5886829a5efaf583a54576170a03f9915cefed3d3d3ed34fa0deda67b24b3d

    Score
    10/10
    emotetepoch3bankersuricatatrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M9

      suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M9

      suricata

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks