emotet

Sharing

Copy URL

Twitter E-mail

General

Target

2019-05-01-Emotet-and-Trickbot-malware-and-artifacts.zip
Size

11.7MB
Sample

230511-asjxfacf8y
MD5

9d6afea5fd7fd56405fc4dbd1170131d
SHA1

0c294bece575234aeaff788ba7506537d0acfa01
SHA256

69a2ab72eb15c6bc8cc6cbd3d66bb445821c822f41494b54c48bc94388fa1f0c
SHA512

514cc2064deaba4f3dc5df59d879aa77dfe2e0b9c8b1bfd92c12296f2996a91ab1dfaa30668853f9200f7087add980d5d68aeef0dfa7638312cc1803c76f4dd0
SSDEEP

196608:aP0P1L+jwvDGDlRmzvBOuQUNsc4KqIZlmMkbSrhkRKzZ/nEX2ivvfiZ4SZxBPeQB:aP0P1L+jqDg8BLsc4KqIZgMcSNTZ/nE+

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://webaphobia.com/images/72Ca/

exe.dropper

https://montalegrense.graficosassociados.com/keywords/FOYo/

exe.dropper

http://purimaro.com/1/ww/

exe.dropper

http://jpmtech.com/css/GOOvqd/

exe.dropper

http://118.89.215.166/wp-includes/l5/

Targets

- Target
  
  2019-05-01-Emotet-and-Trickbot-malware-and-artifacts.zip
- Size
  
  11.7MB
- MD5
  
  9d6afea5fd7fd56405fc4dbd1170131d
- SHA1
  
  0c294bece575234aeaff788ba7506537d0acfa01
- SHA256
  
  69a2ab72eb15c6bc8cc6cbd3d66bb445821c822f41494b54c48bc94388fa1f0c
- SHA512
  
  514cc2064deaba4f3dc5df59d879aa77dfe2e0b9c8b1bfd92c12296f2996a91ab1dfaa30668853f9200f7087add980d5d68aeef0dfa7638312cc1803c76f4dd0
- SSDEEP
  
  196608:aP0P1L+jwvDGDlRmzvBOuQUNsc4KqIZlmMkbSrhkRKzZ/nEX2ivvfiZ4SZxBPeQB:aP0P1L+jqDg8BLsc4KqIZgMcSNTZ/nE+
Score

1^/10
behavioral1 behavioral2
- Target
  
  2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/2019-05-01-Emotet-binary-retrieved-by-Word-macro.exe
- Size
  
  168KB
- MD5
  
  84d164fbfe0982a00404cb3d7b164bf5
- SHA1
  
  e068cd94e06c1f592a2d16ac2adc52c2ce506fa5
- SHA256
  
  2032acdf04511314d53f51d1fef7f9e62e69abbe3db0b31a0302a8545ab1bd82
- SHA512
  
  be33a2f96c68ff640a1f59241969fb27971305ecf251c2f8422d3e5a6b0bf609580a7360db3fa3c0355c956f19efec5f7d2f69e947e8f3c979f930ee1761da04
- SSDEEP
  
  3072:tzFEhjHHIUjCgArLEZXApH3UHE360ESYUzp8t:1FWHIU2Y9KEHE36FS5p8t
Score

10^/10

emotet banker trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Drops file in System32 directory
behavioral3 behavioral4
- Target
  
  2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe
- Size
  
  168KB
- MD5
  
  1cc91941efd6d3da54a1054d9c9d870f
- SHA1
  
  b6531c99b2fb0c51941ac3a636c5c3cf69073f65
- SHA256
  
  6d7aff70a84d9237bde3b149ff04532cafb29b6f358886b5038a737af5934d1f
- SHA512
  
  bade1e20f1a892e33d20535235f0ed45b625ef8cdd1ba9a391f074d3b77f971fb63f68f6d0f97e51fa48ef211fa7bea76a56da9deb88c85dbd0aa892ae78ed69
- SSDEEP
  
  3072:5JYzFEhjHHIUjCgArLEZXApH3UHE360ESYUspf:r4FeHIU2Y9KEHE36FS2pf
Score

10^/10

emotet banker trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Drops file in System32 directory
behavioral5 behavioral6
- Target
  
  2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/2019-05-01-Emotet-binary-updated-after-initial-infection-2-of-2.exe
- Size
  
  157KB
- MD5
  
  d05d59b36d76a2d919d73e5383f0b35b
- SHA1
  
  bdd29b90d93e3bd85b2e0291e3601a45b0c8e33c
- SHA256
  
  486ede4ecff9a951261af3d267072bf75a37e7812afd91dc4c30bf5535dede8b
- SHA512
  
  74efa7b921beda7eff6c56ccd43eef44d4e1ec19e6bb76ccb08e879b2e491a7fffbf176b095244a73181098583d925d56f44fc9cb41c73b67c43a85224f04fc2
- SSDEEP
  
  3072:paROF9HwBJa2vMjrmok3XxK6T9f5pNF/NB+GQIiqGgyVcU4TZP8eIn:l9wBJa2EmvXxKy9FJjQIi1gyR/
Score

10^/10

emotet banker trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Drops file in System32 directory
behavioral7 behavioral8
- Target
  
  2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/2019-05-01-Trickbot-malware-retrieved-by-Emotet-infected-host.exe
- Size
  
  341KB
- MD5
  
  094f3e14648c2f009e6eed6b18b93e50
- SHA1
  
  aa37e82cbcae38e5804af281b98faee75b9ff32a
- SHA256
  
  2c48e2d5b8b188acb67aefec0f9fb71bde888cfa98a0c3580cc0433a2e4f6b9a
- SHA512
  
  f6b123851d5d1edbecfe97d75d79b1557368586af043e545dc035fae1c324ed388d511f35ac1a5db075ee140702ca38f10580395fa264b5c9e78582da1f26dee
- SSDEEP
  
  6144:6auoLBJvcsNyRNaTc/lEmdrfHBxgFWHLpSHEBEpnCy:hnBJvcsIRmc/RBxTHdSHEBaC
Score

8^/10

evasion
- Stops running service(s)
  evasion
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral10 behavioral9
- Target
  
  2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/2019-05-01-registry-update-to-keep-Emotet-persistent.txt
- Size
  
  300B
- MD5
  
  be5a41c9ed919dc3ef02bb28e97a8ed0
- SHA1
  
  c9d1abea70281e3c8d0d80f6246051d600fb8538
- SHA256
  
  010974c4401ab5b48fa1b6f1273640be033e34ca064a06b5985deb344cc58974
- SHA512
  
  bdae58f70069fca19e5779d0ee9d18d69583597cb80cc8d9c19356d6d8dc3d6ac763e17f10097832f559eb83e0f9f204cb18687ecfeacb83bef1ef5cddccba7c
Score

1^/10
behavioral11 behavioral12
- Target
  
  2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/2019-05-01-sched-task-to-keep-Trickbot-persistent.txt
- Size
  
  3KB
- MD5
  
  16ea5fbc04b0d42008fc4183b1958c00
- SHA1
  
  8dc50062caef33ea3e37ffa0bfff1abee0779af0
- SHA256
  
  47d2a9866b1377a8b502ca5776ef2c6e92407ff362594aaafc62dfe784f73bd1
- SHA512
  
  5bc167e5851656f7ab10fdd524ceccf6aed8f55dde11d4766df3041b2930f53c738399d1ddd9c3e75eaa0fc594137adb84e02fdb9c32f53094e3fab567c2d529
Score

1^/10
behavioral13 behavioral14
- Target
  
  2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/40606534706_May_01_2019.doc
- Size
  
  153KB
- MD5
  
  e86dc2921df8755d77acff8708119664
- SHA1
  
  436ef69d6378e37a48f9ec10142722d0ed706f82
- SHA256
  
  45b3a138f08570ca324abd24b4cc18fc7671a6b064817670f4c85c12cfc1218f
- SHA512
  
  67f03d1a0f5b98c1ee8b16c1c604d03e838cefbc0d01a6ad2e7de0987679edcb2962f372a7838dc5a5dc1673d80a5be556a3923f32824e05cdd80c056c82fe09
- SSDEEP
  
  3072:k77HUUUUUUUUUUUUUUUUUUUTkOQePu5U8qDnFbHjuTK9eBB3:k77HUUUUUUUUUUUUUUUUUUUT52VEFbHC
Score

10^/10
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Drops file in System32 directory
behavioral15 behavioral16
- Target
  
  2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/40606534706_May_01_2019.zip
- Size
  
  91KB
- MD5
  
  21a2b98f280142683e3dcfadfdbe1057
- SHA1
  
  e6bf7d5909ced72705938ebaf0cf9487d7bdef5c
- SHA256
  
  a6f6f0973b1f05842884aff6e9f150a6c367e9dd5ff794ab1aaa0d36d111555e
- SHA512
  
  7cdedf845a8ce608bdd50e70d6cdae33caa10273d4923d8203f36b0d984dabc71bf8306df2e36b36053d9c8cd17208da7392c580e0d642af56f68573b55e44fb
- SSDEEP
  
  1536:a0Yt9I9gWX/ZJVh2Q14DRQSwJunn/pIWUJ6xApz7LkdK/K33eZDAwU4S20w0JiP8:a0T1nVh2Q1QaJCpwT7LwKCHeuwU4S9iE
Score

1^/10
behavioral17 behavioral18
- Target
  
  2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/GpuSettings/Data/importDll64
- Size
  
  8.5MB
- MD5
  
  7b4a6ac9c787baf95d918d8659451233
- SHA1
  
  d57a3bebd6235d8337e7437f77b7e17131f60c94
- SHA256
  
  2fc335a4f0c3e848bb6741320ede759ed6acf038de3d46dec15a54224bb58e04
- SHA512
  
  6c352b8a0a3f5184fc3c5639c44398ea61fff2132d4dea4e17875c29f0d740fba83e83561c7d0dd0eab37392984a8298d8b1e65fff12ce74919758e1bc0b8cba
- SSDEEP
  
  196608:TMVgwyMVaPDIQT+IdEYNMVJRgWn4K8SqgfRSB9ZV32+B0wtpFa6nBP6QOF3:TM6yoPD1T+IKquJjGB9H3CwtpFz6QK3
Score

1^/10
behavioral19 behavioral20
- Target
  
  2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/GpuSettings/Data/injectDll64
- Size
  
  699KB
- MD5
  
  9c154da2425a0454464b12379a870e7a
- SHA1
  
  0993b208a2965e555920d8b8bfbc584205c91f63
- SHA256
  
  92aa10c3fe97ad10b8e3d09ab761544faf0506c8c040d2dd131e0c03f349acf4
- SHA512
  
  e004fdedc092f3ebda5493b90c4ca6020dcdf4218cc0306cd0fed6faa54918d7d55229bf4709b88c326f824c9144b7346103a2652a8d9ded964a9d0f921ab498
- SSDEEP
  
  12288:dRCwspZCpMx26eMsKVnxHoWjCrVr+5PNkMgFf2kvXl8icSG8oun2Ru/:dmZCqx26psGJoWkr2PNwf2kvX9cSG8oe
Score

1^/10
behavioral21 behavioral22
- Target
  
  2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/GpuSettings/Data/injectDll64_configs/dinj
- Size
  
  129KB
- MD5
  
  fa596ea2092cbf079959f64fe6159f4a
- SHA1
  
  85bb8421dec7b87969071446191261920a60aa16
- SHA256
  
  c4862718cb29d729320fade9ee7c4c51f9bd369f94552b4f60c616fe82064fe9
- SHA512
  
  9e3be7db7f0b55293a7630c37eefa8abbdecbe42515aef17b9231e5f3f4030b29bfad346188600d2d204db0b878a036af668251c610e0e7866bc8a9105f2795d
- SSDEEP
  
  3072:z/cBRtHtcQNBFZRfzwzmcgOR6zC5bNUJowP1c/81iNfUR:z/+RtNcQNzZRrwzV0zYbNAow1c8iFUR
Score

1^/10
behavioral23 behavioral24
- Target
  
  2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/GpuSettings/Data/injectDll64_configs/dpost
- Size
  
  928B
- MD5
  
  a731480d32b85bef157c72864517bf30
- SHA1
  
  21747b914bd47f7663da8816b17679da6f94ffd9
- SHA256
  
  0be2a214f619927c226ddacc53721a04aee3174215e9377778d26026502b380d
- SHA512
  
  10e4606dd31cd519d4a0760ca9f4c9631e7f2d09c2c898a48a47d216b547b8036f7e421fed84c68d71cfecc5aa8bc957ffee1988dc386ba64ef423c7f5a49f29
Score

1^/10
behavioral25 behavioral26
- Target
  
  2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/GpuSettings/Data/injectDll64_configs/sinj
- Size
  
  82KB
- MD5
  
  d2a06ea942e8701b24f5cd7c13051271
- SHA1
  
  e748807456b674cb15a3afbc561ceffc5524225e
- SHA256
  
  5faf1ddf4fa41821241f92ff7fe5c00507d1421c9a24c1b4bedc16dd0ebfdb50
- SHA512
  
  f65cfdde577773a2867b7b14a3394fedef15ee28b5a431793c08608352f09654d8cfe070fdbbe877c48365edc56d4ab354cff3ed78f1868a486bb52888bcd5ef
- SSDEEP
  
  1536:JZBKWq8fkBZ66zmoE+uIHyU2swP6rYL05C8tcDtD3Bvq:RKWvfoZlq1+uIHEPP6J5C8tcDtDpq
Score

1^/10
behavioral27 behavioral28
- Target
  
  2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/GpuSettings/Data/mailsearcher64
- Size
  
  27KB
- MD5
  
  14e03bca1d729e7b013cadea30b17daa
- SHA1
  
  bf3c86e93f49ea8b2f29b34253697262c6dbfc66
- SHA256
  
  d796d1243fabe84e0e027a540d22d98a11e6df00c18527a3f49faad00be43c3b
- SHA512
  
  c9609c57023627642fb06bd28794c152aa06598f31931a17068eb7c3fd7535f23699b747d3c5ebeac686ba1edcedc77f391b2beb73a863fcfa19d6c66a0bc1ef
- SSDEEP
  
  768:RfIHso5dKWwGbHN0uy6xyQ29EBKI1n/YE/STSiEoW+VyD:SHsOApGbHNa9u/LgEJD
Score

1^/10
behavioral29 behavioral30
- Target
  
  2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/GpuSettings/Data/mailsearcher64_configs/mailconf
- Size
  
  224B
- MD5
  
  6ab86920c1e20e2d53528d2bf5083a8c
- SHA1
  
  1edb33735d1e4c5c54f5f23f40f7a3f9c36accdc
- SHA256
  
  897e52b898f40ef85a99fffbb1ac6d09b76310d9d3b677c0f67813938f4b1fd4
- SHA512
  
  ea2bbedd382d3405b675679b95e472670bb94f0f8c9d64182a0efd4e6ae3457337f55b0fdf1c866100f57715780f54e58bbdf105db8a623fbbf3ab0f054008ff
Score

1^/10
behavioral31 behavioral32

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Tasks

Sharing

General

Malware Config

Extracted

Targets

Drops file in System32 directory

Emotet

Drops file in System32 directory

Emotet

Drops file in System32 directory

Stops running service(s)

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Process spawned unexpected child process

Blocklisted process makes network request

Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32