General

  • Target

    Invoice.doc

  • Size

    191KB

  • Sample

    231105-zp78asce51

  • MD5

    09715902c5f4eba328355a569572c895

  • SHA1

    2bca468922ec3241b97e53d4678d789cb5874e5a

  • SHA256

    2beec2edda2346042fdfa829caaa7403e7842e786b9b9e89baaf4cd5e45d189a

  • SHA512

    e1fe5e2fde4d82b152587102240157629fe48cf828174c7df76c3c84d5ec6963171ac38afdfc3fcfb5542e79581e528f3c8a122db6b649903afb22bee6a362a0

  • SSDEEP

    3072:8xJivKie6B/w2yiWydwgbIfAAk0Djn5Y7weQrq0DkbRR79:8xJiP/w2P6fkCjn5Y7we2q0DkNR79

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://acheterdrogues.com/wp-admin/m/

exe.dropper

https://hcareconcepts.com/cgi-bin/1Pwwxf/

exe.dropper

http://jiafunongye.com/application/NJ3Ta/

exe.dropper

http://amarteargentina.com.ar/wp-admin/GOAvrV/

exe.dropper

http://allcannabismeds.com/unraid-map/xcGN/

exe.dropper

http://caacholidays.com.hk/wp-content/jaayDboQ/

exe.dropper

https://selerakampung.com/wp-admin/AGF5qXG/

Extracted

Family

emotet

Botnet

Epoch3

C2

78.90.78.210:80

188.226.165.170:8080

188.40.170.197:80

51.38.50.144:8080

120.51.34.254:80

85.246.78.192:80

139.59.12.63:8080

46.105.131.68:8080

5.2.246.108:80

60.108.128.186:80

190.55.186.229:80

47.154.85.229:80

188.80.27.54:80

115.79.59.157:80

91.75.75.46:80

119.92.77.17:80

109.13.179.195:80

190.151.5.131:443

5.79.70.250:8080

175.103.38.146:80

rsa_pubkey.plain

Targets

    • Target

      Invoice.doc

    • Size

      191KB

    • MD5

      09715902c5f4eba328355a569572c895

    • SHA1

      2bca468922ec3241b97e53d4678d789cb5874e5a

    • SHA256

      2beec2edda2346042fdfa829caaa7403e7842e786b9b9e89baaf4cd5e45d189a

    • SHA512

      e1fe5e2fde4d82b152587102240157629fe48cf828174c7df76c3c84d5ec6963171ac38afdfc3fcfb5542e79581e528f3c8a122db6b649903afb22bee6a362a0

    • SSDEEP

      3072:8xJivKie6B/w2yiWydwgbIfAAk0Djn5Y7weQrq0DkbRR79:8xJiP/w2P6fkCjn5Y7we2q0DkNR79

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Emotet payload

      Detects Emotet payload in memory.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks