Overview
overview
10Static
static
8client/202...st.exe
windows7-x64
10client/202...st.exe
windows10-2004-x64
10client/202...-2.doc
windows7-x64
10client/202...-2.doc
windows10-2004-x64
10client/202...on.exe
windows7-x64
10client/202...on.exe
windows10-2004-x64
10client/202...ro.exe
windows7-x64
10client/202...ro.exe
windows10-2004-x64
10client/gpu...3C.exe
windows7-x64
10client/gpu...3C.exe
windows10-2004-x64
10client/gpu...rt.exe
windows7-x64
10client/gpu...rt.exe
windows10-2004-x64
10dc/gpuheal...rt.exe
windows7-x64
10dc/gpuheal...rt.exe
windows10-2004-x64
10General
-
Target
2020-01-14-malware-and-artifacts-from-Emotet-epoch-2-infection-with-Trickbot-gtag-mor75.zip
-
Size
22.5MB
-
Sample
221220-ycbswsea2x
-
MD5
58fd4df914ef17cd19f0bb03e709c5b9
-
SHA1
fcb4c01c970f5b97076a5c93c9ebcc35358215bc
-
SHA256
7a5d773aa6ef4cf71a18234e4037788e635a3f8aeefef0e9898d69453bc53025
-
SHA512
b17f997d75597cfec942efdad3ac9e971d3c4a3e26a21a3a213d0235880b716882e45bdbb6b126b797350a42a73acc216512128421202575119975978766866d
-
SSDEEP
393216:J3CH9KWwLtfI2nfIkuBvF6sbP5HlqjUGO0hXCYwLHOfitxfU3:5qxwpfI2nfIkuB0sbRYjUGvdwLUitVU3
Behavioral task
behavioral1
Sample
client/2020-01-14-Trickbot-gtag-mor75-retrieved-by-Emotet-infected-host.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
client/2020-01-14-Trickbot-gtag-mor75-retrieved-by-Emotet-infected-host.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
client/2020-01-14-Word-doc-with-macro-for-Emotet-epoch-2.doc
Resource
win7-20220901-en
Behavioral task
behavioral4
Sample
client/2020-01-14-Word-doc-with-macro-for-Emotet-epoch-2.doc
Resource
win10v2004-20221111-en
Behavioral task
behavioral5
Sample
client/2020-01-14-follow-up-Emotet-binary-after-initial-infection.exe
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
client/2020-01-14-follow-up-Emotet-binary-after-initial-infection.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral7
Sample
client/2020-01-14-initial-Emotet-binary-retrieved-by-Word-macro.exe
Resource
win7-20221111-en
Behavioral task
behavioral8
Sample
client/2020-01-14-initial-Emotet-binary-retrieved-by-Word-macro.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral9
Sample
client/gpuhealth/GƆCCKX ↀↂ;;;;;;;;;;;;;;;;;;;ж;;;;;;;;;;;яЫФЦйвЫФв003423C.exe
Resource
win7-20220901-en
Behavioral task
behavioral10
Sample
client/gpuhealth/GƆCCKX ↀↂ;;;;;;;;;;;;;;;;;;;ж;;;;;;;;;;;яЫФЦйвЫФв003423C.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral11
Sample
client/gpuhealth/syrecrt.exe
Resource
win7-20220812-en
Behavioral task
behavioral12
Sample
client/gpuhealth/syrecrt.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral13
Sample
dc/gpuhealth/syrecrt.exe
Resource
win7-20221111-en
Malware Config
Extracted
http://www.lakshmichowkusa.com/emailwishlist/g3B/
http://adampettycreative.com/x92k25/387wj2/
https://backerplanet.com/forum_posts/0i7/
http://hebreoenlinea-chms.mx/wp-content/sW0yhVry/
https://formaper.webinarbox.it/admin/Kb/
Extracted
emotet
Epoch2
66.7.242.50:8080
72.186.137.156:80
197.89.27.26:8080
91.250.96.22:8080
37.187.72.193:8080
104.131.44.150:8080
167.71.10.37:8080
78.24.219.147:8080
159.65.25.128:8080
95.128.43.213:8080
179.13.185.19:80
186.86.247.171:443
110.142.38.16:80
201.173.217.124:443
169.239.182.217:8080
211.63.71.72:8080
104.131.11.150:8080
190.55.181.54:443
209.146.22.34:443
64.53.242.181:8080
190.220.19.82:443
66.34.201.20:7080
27.109.153.201:8090
46.105.131.69:443
110.36.217.66:8080
120.151.135.224:80
73.217.39.73:80
87.230.19.21:8080
47.180.91.213:80
73.11.153.178:8080
45.33.49.124:443
209.141.54.221:8080
121.88.5.176:443
31.31.77.83:443
79.159.249.152:80
178.237.139.83:8080
180.92.239.110:8080
201.229.45.222:8080
173.21.26.90:80
200.116.145.225:443
221.165.123.72:80
217.160.182.191:8080
47.6.15.79:80
60.231.217.199:8080
91.205.215.66:443
182.176.132.213:8090
181.143.126.170:80
70.169.53.234:80
176.106.183.253:8080
92.222.216.44:8080
87.106.136.232:8080
103.86.49.11:8080
5.196.74.210:8080
78.142.114.69:80
105.247.123.133:8080
47.6.15.79:443
98.174.166.205:80
110.143.84.202:80
95.213.236.64:8080
2.237.76.249:80
45.51.40.140:80
91.73.197.90:80
78.186.5.109:443
120.150.246.241:80
195.244.215.206:80
58.171.42.66:8080
190.117.126.169:80
37.157.194.134:443
192.241.255.77:8080
190.12.119.180:443
190.117.226.104:80
116.48.142.21:443
200.21.90.5:443
62.75.187.192:8080
41.60.200.34:80
70.46.247.81:80
85.67.10.190:80
223.197.185.60:80
190.146.205.227:8080
62.138.26.28:8080
5.32.55.214:80
108.191.2.72:80
59.103.164.174:80
178.153.176.124:80
78.189.180.107:80
87.106.139.101:8080
210.6.85.121:80
47.156.70.145:80
173.91.11.142:80
31.172.240.91:8080
88.249.120.205:80
37.139.21.175:8080
115.95.6.218:443
206.81.10.215:8080
105.27.155.182:80
209.97.168.52:8080
205.185.117.108:8080
24.164.79.147:8080
188.0.135.237:80
139.130.242.43:80
46.105.131.87:80
189.203.177.41:443
149.202.153.252:8080
98.156.206.153:80
160.16.215.66:8080
201.184.105.242:443
98.30.113.161:80
5.154.58.24:80
173.66.96.135:80
206.189.112.148:8080
70.175.171.251:80
190.53.135.159:21
24.105.202.216:443
89.211.186.227:443
108.179.206.219:8080
139.130.241.252:443
50.116.86.205:8080
181.126.70.117:80
24.94.237.248:80
62.75.141.82:80
183.102.238.69:465
177.239.160.121:80
104.236.246.93:8080
47.153.183.211:80
190.189.224.117:443
185.144.138.190:80
59.8.197.241:80
93.147.141.5:80
Targets
-
-
Target
client/2020-01-14-Trickbot-gtag-mor75-retrieved-by-Emotet-infected-host.exe
-
Size
524KB
-
MD5
8c9749ce27426c38f68f21f3dcf71b68
-
SHA1
68852ef36597d732c721b990328f0fc4d2d5e48a
-
SHA256
37b1c77366dc34b787f076b894fb97e384ffc1ac4212a716cce2446a9aad3b6b
-
SHA512
d7d5c3909ddf45f22a267dab3db9908c8e29d931f51910b5bad0025db49b1f394de5ea6662480797a9eb808a832e6ae3ca7cff319ec407f57a624ad636c65efb
-
SSDEEP
12288:aY+PntopVydpBB9H4dJX5az1et14MHB8e:b+15pBB9oazg6MH
-
Trickbot x86 loader
Detected Trickbot's x86 loader that unpacks the x86 payload.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
-
-
Target
client/2020-01-14-Word-doc-with-macro-for-Emotet-epoch-2.doc
-
Size
248KB
-
MD5
33285762e4d622f59232275df1f8c895
-
SHA1
9453e78df31d27a75141b298f256fb26c8cd473c
-
SHA256
7a8cb80805617a8ba3c67dca2a80527c17601869e833272758ea10ef5926b29f
-
SHA512
2fa25ab449522106249c7a62581148ee9a32d5aa0c0f7dd2a2f4fa79a8b2ac529ad287be84c95e8bc5b0f266307989874bdbaf9fd2ed5cb8c509093af8040231
-
SSDEEP
6144:p0Rum7mdLRp1bbSBIR/EHGtCMXgTo8qoFt/etg+RC/uY+KSX:p0E3dxtR/iU9mvUPMR+KSX
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Drops file in System32 directory
-
-
-
Target
client/2020-01-14-follow-up-Emotet-binary-after-initial-infection.exe
-
Size
496KB
-
MD5
b63535fb171eb493b69f2f3b16abe387
-
SHA1
9516de4b4c9de9b996a5d262f4ec633b4ed74bb1
-
SHA256
c2030bc67f28a570054486b23de2b7a1bccb90fc9cfbf698b8bc380bb03adeb2
-
SHA512
0c89c501d2d6f9dd91c38f8b695c537ba9cf227aad4057792344d328df83db395412fd17db8d9a63c571161df7f2dde4260e58c157f4c98b69e2e317a354fd0b
-
SSDEEP
6144:9iSzpqgWJwaLWQt4f4GijqIM48RUl1PZ3e6yIXqn3BTZe87aPqn3BTZeW7BeI1Dn:9hDa9Y4GDNO1h3etVBU83BUWUODn
-
Drops file in System32 directory
-
-
-
Target
client/2020-01-14-initial-Emotet-binary-retrieved-by-Word-macro.exe
-
Size
356KB
-
MD5
b4a58a14bc4c26df5f91324ca957e825
-
SHA1
8f0f8eee355a0598b1d1f3536eb1a9a9c00c5629
-
SHA256
97e5d5a43200ee67ef2429d0721b0559ef0f931c248cb96ca5f5ee6fb81eb365
-
SHA512
0bd04cb13e8a6ae10a58e1c27961a2c6ce3a03f5d9b43b9542063df2cb102a8cc7e59bed07e8ab163c92d99242cc7d390a0690127eb7016f2051d9db43fc64e7
-
SSDEEP
6144:+gfUOzb1CGLJl+wO7UCW83CIc/BnpIF7pqj2XIM0mvLpEN6SofWS/eI1Df:+gMOzb1dPnO7UsyIany7o2XIMxavofWG
-
Drops file in System32 directory
-
-
-
Target
client/gpuhealth/GƆCCKX ↀↂ;;;;;;;;;;;;;;;;;;;ж;;;;;;;;;;;яЫФЦйвЫФв003423C.exe
-
Size
524KB
-
MD5
8c9749ce27426c38f68f21f3dcf71b68
-
SHA1
68852ef36597d732c721b990328f0fc4d2d5e48a
-
SHA256
37b1c77366dc34b787f076b894fb97e384ffc1ac4212a716cce2446a9aad3b6b
-
SHA512
d7d5c3909ddf45f22a267dab3db9908c8e29d931f51910b5bad0025db49b1f394de5ea6662480797a9eb808a832e6ae3ca7cff319ec407f57a624ad636c65efb
-
SSDEEP
12288:aY+PntopVydpBB9H4dJX5az1et14MHB8e:b+15pBB9oazg6MH
-
Trickbot x86 loader
Detected Trickbot's x86 loader that unpacks the x86 payload.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
-
-
Target
client/gpuhealth/syrecrt.exe
-
Size
636KB
-
MD5
b1ee1b5bcf9081a4556c9eca8ddee08b
-
SHA1
44ce0ffaa7e00619041d5c6a55b333cd68b34e9f
-
SHA256
7f35814a168b322a70dde6653134deed0771ae69860e1dcb3b464237c327357b
-
SHA512
cd56bbc7039cdba69ba475a9011511425cbe63d3ba6f59aa569c8a96089ee0df0a54b0b789be43d4d1af66c1b21d3d1c191240a40dc3692f39eebbd3be6a4a56
-
SSDEEP
6144:FsD8AG8s0dYIeyIJqteVmdVYk9Lx9WjVLDVElBik2RSRmf/XPXtPiMN7vTBAHn9:WP40drYqMmdVdpx9qylokuSRmf/XwMtc
-
Trickbot x86 loader
Detected Trickbot's x86 loader that unpacks the x86 payload.
-
Executes dropped EXE
-
-
-
Target
dc/gpuhealth/syrecrt.exe
-
Size
636KB
-
MD5
49718c5d4fa5792aad0397190ffbbb49
-
SHA1
9f5c0dd44498575be961e494c53e2de3c27b701a
-
SHA256
2de0320f9a93943e2b0564b760cdbfa13bd90b70cef3c59aadd132c3d24c2de0
-
SHA512
8aec434749b54ca0b9ea80b5d34efa6bc718b7831e6510667fdfbf69e7eabea5dc4ee747bcd2da8b5917489b8f493be22d748e5d16d723793a3727a32066390c
-
SSDEEP
6144:FsD8AG8D0dYIeyIJqteVmdVYk9Lx9WjVLDVElBik2RSRmf/XPXtPiMN7vTBAHn9:WPP0drYqMmdVdpx9qylokuSRmf/XwMtc
-
Trickbot x86 loader
Detected Trickbot's x86 loader that unpacks the x86 payload.
-
Executes dropped EXE
-