Overview

overview

10

Static

static

8

sample.doc

windows7_x64

10

sample.doc

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    45f9a309bebd5e2198a6b4c958a83414bbadd3f113068ae6c9e63bfe5d4127a7

  • Size

    120KB

  • Sample

    220520-1rgc2aebh3

  • MD5

    7f16892f9dadaf11fc3c628561f68f6e

  • SHA1

    cda25ebf46780772adcb53e4e5c2b65b55dba6a1

  • SHA256

    45f9a309bebd5e2198a6b4c958a83414bbadd3f113068ae6c9e63bfe5d4127a7

  • SHA512

    f05d1862a390ced8fe10eb8229fc79db3986366a2360ef7b2b9d9c61d901592c2a0357f2719636b8005ef4146ab76c7ce07ed93b174b7198e80c3b402f93cfa0

Score
10/10
emotetepoch3bankermacrosuricatatrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://www.riserproperty.com/wp-content/SMXB/
exe.dropper

http://laurenebohn.com/bGOHy/8qa07472/
exe.dropper

http://lezliedavis.com/swift/5TQW6sf32736/
exe.dropper

http://cityplanter.co.uk/zy0b9r0s/lTZlc101auo37/
exe.dropper

http://farooquie.com/wp-admin/da52f6268411/
exe.dropper

https://onejmd.com/wp-content/xmO/
exe.dropper

https://s1.finmsb.com/uc_autoscripts/AcpPvTthOX/

Extracted

Family

emotet

Botnet

Epoch3

C2

190.136.179.102:80

97.107.135.148:8080

94.102.209.63:7080

162.144.42.60:8080

81.214.253.80:443

87.106.231.60:8080

107.161.30.122:8080

66.61.94.36:80

139.59.12.63:8080

203.153.216.178:7080

178.33.167.120:8080

179.62.238.49:80

50.116.78.109:8080

74.208.173.91:8080

113.161.148.81:80

179.5.118.12:80

202.5.47.71:80

91.83.93.103:443

181.113.229.139:443

41.185.29.128:8080
rsa_pubkey.plain

Targets

    • Target

      sample

    • Size

      229KB

    • MD5

      6de130361d95f32a9fd86dd77d429c4f

    • SHA1

      c243968d2b3e6ee4823421040310625adc6e376b

    • SHA256

      900e897c3d7f08039833fa89748e84c98a62d959e4e8e8cc54c832acd902470d

    • SHA512

      19b7ef974ee2b92d712eb31b7bfd3f1769060a09ac9431c993e637b7e8821a2108f9d69dac24072802761db3177c026afa5e80aaf18ab1a302ad7c65005d6470

    Score
    10/10
    emotetepoch3bankersuricatatrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M9

      suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M9

      suricata

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks