General
-
Target
XYZDropper.ps1
-
Size
934B
-
Sample
240518-ssxgmsaa57
-
MD5
1c1993547e335066690268b61a80f3d1
-
SHA1
b88c3905e103e70c1386e9fb551a8268e3ea689c
-
SHA256
30e7ebeab787d4c6ec8f2b8ca1c472f0947c0fbfae1e94a460a4089d5a8a63dc
-
SHA512
c302dad7c6ce6aed6b1e04335e0cedb550668ae713f5da212745346090473273a89ccb870b10c725fe85269629ccb13aa97c8e8dd00acf61d9e61f6d251a8182
Malware Config
Extracted
emotet
Epoch5
178.238.225.252:8080
139.196.72.155:8080
36.67.23.59:443
103.56.149.105:8080
37.44.244.177:8080
85.25.120.45:8080
202.134.4.210:7080
78.47.204.80:443
83.229.80.93:8080
93.104.209.107:8080
80.211.107.116:8080
165.22.254.236:8080
104.244.79.94:443
185.148.169.10:8080
190.145.8.4:443
175.126.176.79:8080
139.59.80.108:8080
188.165.79.151:443
128.199.217.206:443
64.227.55.231:8080
Targets
-
-
Target
XYZDropper.ps1
-
Size
934B
-
MD5
1c1993547e335066690268b61a80f3d1
-
SHA1
b88c3905e103e70c1386e9fb551a8268e3ea689c
-
SHA256
30e7ebeab787d4c6ec8f2b8ca1c472f0947c0fbfae1e94a460a4089d5a8a63dc
-
SHA512
c302dad7c6ce6aed6b1e04335e0cedb550668ae713f5da212745346090473273a89ccb870b10c725fe85269629ccb13aa97c8e8dd00acf61d9e61f6d251a8182
Score10/10-
Emotet
Emotet is a trojan that is primarily spread through spam emails.
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-