Overview

overview

10

Static

static

8

client/202...st.exe

windows7-x64

10

client/202...st.exe

windows10-2004-x64

10

client/202...-2.doc

windows7-x64

10

client/202...-2.doc

windows10-2004-x64

10

client/202...on.exe

windows7-x64

10

client/202...on.exe

windows10-2004-x64

10

client/202...ro.exe

windows7-x64

10

client/202...ro.exe

windows10-2004-x64

10

client/gpu...3C.exe

windows7-x64

10

client/gpu...3C.exe

windows10-2004-x64

10

client/gpu...rt.exe

windows7-x64

10

client/gpu...rt.exe

windows10-2004-x64

10

dc/gpuheal...rt.exe

windows7-x64

10

dc/gpuheal...rt.exe

windows10-2004-x64

10

Resubmissions

28-12-2022 03:05

221228-dk91fahc93 10

20-12-2022 19:37

221220-ycbswsea2x 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2020-01-14-malware-and-artifacts-from-Emotet-epoch-2-infection-with-Trickbot-gtag-mor75.zip

  • Size

    22.5MB

  • Sample

    221220-ycbswsea2x

  • MD5

    58fd4df914ef17cd19f0bb03e709c5b9

  • SHA1

    fcb4c01c970f5b97076a5c93c9ebcc35358215bc

  • SHA256

    7a5d773aa6ef4cf71a18234e4037788e635a3f8aeefef0e9898d69453bc53025

  • SHA512

    b17f997d75597cfec942efdad3ac9e971d3c4a3e26a21a3a213d0235880b716882e45bdbb6b126b797350a42a73acc216512128421202575119975978766866d

  • SSDEEP

    393216:J3CH9KWwLtfI2nfIkuBvF6sbP5HlqjUGO0hXCYwLHOfitxfU3:5qxwpfI2nfIkuB0sbRYjUGvdwLUitVU3

Score
10/10
emotettrickbotepoch2bankermacrotrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://www.lakshmichowkusa.com/emailwishlist/g3B/
exe.dropper

http://adampettycreative.com/x92k25/387wj2/
exe.dropper

https://backerplanet.com/forum_posts/0i7/
exe.dropper

http://hebreoenlinea-chms.mx/wp-content/sW0yhVry/
exe.dropper

https://formaper.webinarbox.it/admin/Kb/

Extracted

Family

emotet

Botnet

Epoch2

C2

66.7.242.50:8080

72.186.137.156:80

197.89.27.26:8080

91.250.96.22:8080

37.187.72.193:8080

104.131.44.150:8080

167.71.10.37:8080

78.24.219.147:8080

159.65.25.128:8080

95.128.43.213:8080

179.13.185.19:80

186.86.247.171:443

110.142.38.16:80

201.173.217.124:443

169.239.182.217:8080

211.63.71.72:8080

104.131.11.150:8080

190.55.181.54:443

209.146.22.34:443

64.53.242.181:8080
rsa_pubkey.plain

Targets

    • Target

      client/2020-01-14-Trickbot-gtag-mor75-retrieved-by-Emotet-infected-host.exe

    • Size

      524KB

    • MD5

      8c9749ce27426c38f68f21f3dcf71b68

    • SHA1

      68852ef36597d732c721b990328f0fc4d2d5e48a

    • SHA256

      37b1c77366dc34b787f076b894fb97e384ffc1ac4212a716cce2446a9aad3b6b

    • SHA512

      d7d5c3909ddf45f22a267dab3db9908c8e29d931f51910b5bad0025db49b1f394de5ea6662480797a9eb808a832e6ae3ca7cff319ec407f57a624ad636c65efb

    • SSDEEP

      12288:aY+PntopVydpBB9H4dJX5az1et14MHB8e:b+15pBB9oazg6MH

    Score
    10/10
    trickbotbankertrojan

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Trickbot x86 loader

      Detected Trickbot's x86 loader that unpacks the x86 payload.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    behavioral1behavioral2

    • Target

      client/2020-01-14-Word-doc-with-macro-for-Emotet-epoch-2.doc

    • Size

      248KB

    • MD5

      33285762e4d622f59232275df1f8c895

    • SHA1

      9453e78df31d27a75141b298f256fb26c8cd473c

    • SHA256

      7a8cb80805617a8ba3c67dca2a80527c17601869e833272758ea10ef5926b29f

    • SHA512

      2fa25ab449522106249c7a62581148ee9a32d5aa0c0f7dd2a2f4fa79a8b2ac529ad287be84c95e8bc5b0f266307989874bdbaf9fd2ed5cb8c509093af8040231

    • SSDEEP

      6144:p0Rum7mdLRp1bbSBIR/EHGtCMXgTo8qoFt/etg+RC/uY+KSX:p0E3dxtR/iU9mvUPMR+KSX

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Drops file in System32 directory

    behavioral3behavioral4

    • Target

      client/2020-01-14-follow-up-Emotet-binary-after-initial-infection.exe

    • Size

      496KB

    • MD5

      b63535fb171eb493b69f2f3b16abe387

    • SHA1

      9516de4b4c9de9b996a5d262f4ec633b4ed74bb1

    • SHA256

      c2030bc67f28a570054486b23de2b7a1bccb90fc9cfbf698b8bc380bb03adeb2

    • SHA512

      0c89c501d2d6f9dd91c38f8b695c537ba9cf227aad4057792344d328df83db395412fd17db8d9a63c571161df7f2dde4260e58c157f4c98b69e2e317a354fd0b

    • SSDEEP

      6144:9iSzpqgWJwaLWQt4f4GijqIM48RUl1PZ3e6yIXqn3BTZe87aPqn3BTZeW7BeI1Dn:9hDa9Y4GDNO1h3etVBU83BUWUODn

    Score
    10/10
    emotetepoch2bankertrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Drops file in System32 directory

    behavioral5behavioral6

    • Target

      client/2020-01-14-initial-Emotet-binary-retrieved-by-Word-macro.exe

    • Size

      356KB

    • MD5

      b4a58a14bc4c26df5f91324ca957e825

    • SHA1

      8f0f8eee355a0598b1d1f3536eb1a9a9c00c5629

    • SHA256

      97e5d5a43200ee67ef2429d0721b0559ef0f931c248cb96ca5f5ee6fb81eb365

    • SHA512

      0bd04cb13e8a6ae10a58e1c27961a2c6ce3a03f5d9b43b9542063df2cb102a8cc7e59bed07e8ab163c92d99242cc7d390a0690127eb7016f2051d9db43fc64e7

    • SSDEEP

      6144:+gfUOzb1CGLJl+wO7UCW83CIc/BnpIF7pqj2XIM0mvLpEN6SofWS/eI1Df:+gMOzb1dPnO7UsyIany7o2XIMxavofWG

    Score
    10/10
    emotetepoch2bankertrojan

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Drops file in System32 directory

    behavioral7behavioral8

    • Target

      client/gpuhealth/GƆCCKX ↀↂ;;;;;;;;;;;;;;;;;;;ж;;;;;;;;;;;яЫФЦйвЫФв003423C.exe

    • Size

      524KB

    • MD5

      8c9749ce27426c38f68f21f3dcf71b68

    • SHA1

      68852ef36597d732c721b990328f0fc4d2d5e48a

    • SHA256

      37b1c77366dc34b787f076b894fb97e384ffc1ac4212a716cce2446a9aad3b6b

    • SHA512

      d7d5c3909ddf45f22a267dab3db9908c8e29d931f51910b5bad0025db49b1f394de5ea6662480797a9eb808a832e6ae3ca7cff319ec407f57a624ad636c65efb

    • SSDEEP

      12288:aY+PntopVydpBB9H4dJX5az1et14MHB8e:b+15pBB9oazg6MH

    Score
    10/10
    trickbotbankertrojan

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Trickbot x86 loader

      Detected Trickbot's x86 loader that unpacks the x86 payload.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    behavioral10behavioral9

    • Target

      client/gpuhealth/syrecrt.exe

    • Size

      636KB

    • MD5

      b1ee1b5bcf9081a4556c9eca8ddee08b

    • SHA1

      44ce0ffaa7e00619041d5c6a55b333cd68b34e9f

    • SHA256

      7f35814a168b322a70dde6653134deed0771ae69860e1dcb3b464237c327357b

    • SHA512

      cd56bbc7039cdba69ba475a9011511425cbe63d3ba6f59aa569c8a96089ee0df0a54b0b789be43d4d1af66c1b21d3d1c191240a40dc3692f39eebbd3be6a4a56

    • SSDEEP

      6144:FsD8AG8s0dYIeyIJqteVmdVYk9Lx9WjVLDVElBik2RSRmf/XPXtPiMN7vTBAHn9:WP40drYqMmdVdpx9qylokuSRmf/XwMtc

    Score
    10/10
    trickbotbankertrojan

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Trickbot x86 loader

      Detected Trickbot's x86 loader that unpacks the x86 payload.

    • Executes dropped EXE

    behavioral11behavioral12

    • Target

      dc/gpuhealth/syrecrt.exe

    • Size

      636KB

    • MD5

      49718c5d4fa5792aad0397190ffbbb49

    • SHA1

      9f5c0dd44498575be961e494c53e2de3c27b701a

    • SHA256

      2de0320f9a93943e2b0564b760cdbfa13bd90b70cef3c59aadd132c3d24c2de0

    • SHA512

      8aec434749b54ca0b9ea80b5d34efa6bc718b7831e6510667fdfbf69e7eabea5dc4ee747bcd2da8b5917489b8f493be22d748e5d16d723793a3727a32066390c

    • SSDEEP

      6144:FsD8AG8D0dYIeyIJqteVmdVYk9Lx9WjVLDVElBik2RSRmf/XPXtPiMN7vTBAHn9:WPP0drYqMmdVdpx9qylokuSRmf/XwMtc

    Score
    10/10
    trickbotbankertrojan

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Trickbot x86 loader

      Detected Trickbot's x86 loader that unpacks the x86 payload.

    • Executes dropped EXE

    behavioral13behavioral14

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

4
T1012

System Information Discovery

8
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks