emotet | fa9052ec297d39514aec2cdbdf04a5bb53e0e8a67760070e56e09e43d4acf738 | Triage

Sharing

General

Target

4d478c33b8134fa3553362d1d9648cb5_JaffaCakes118
Size

133KB
Sample

241016-rj5wzstdjh
MD5

4d478c33b8134fa3553362d1d9648cb5
SHA1

7204c708eecf449af04acaa9537e4bfeea625e13
SHA256

fa9052ec297d39514aec2cdbdf04a5bb53e0e8a67760070e56e09e43d4acf738
SHA512

3c6491b657ea4302d499b646f49189ed3bdc7f605ac33155f72d0408bda6f749a58eb932a7ac1c5c1ad11c0f7b49db761cdcd884b829bb2caaabdd2e03d75e3c
SSDEEP

3072:A77HUUUUUUUUUUUUUUUUUUUTkOQePu5U8q3DdUL3MsN0a:A77HUUUUUUUUUUUUUUUUUUUT52VkhUcW

Score

10^/10

emotet banker discovery execution trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://mobilizr.com/slagmite/vfao_7pkco0lob-674967226/

exe.dropper

http://mmesupport.com/upload_docs/7qnxu0_on92iv5o8u-07294/

exe.dropper

https://miv-survey.com/ws/xz8yftcm6t_bdxduwga3w-3/

exe.dropper

http://moolo.pl/pub/NauVcJcbPH/

exe.dropper

http://mstation.jp/2004christmas/ybgiax_c3bk83e7-33621494/

Targets

- Target
  
  4d478c33b8134fa3553362d1d9648cb5_JaffaCakes118
- Size
  
  133KB
- MD5
  
  4d478c33b8134fa3553362d1d9648cb5
- SHA1
  
  7204c708eecf449af04acaa9537e4bfeea625e13
- SHA256
  
  fa9052ec297d39514aec2cdbdf04a5bb53e0e8a67760070e56e09e43d4acf738
- SHA512
  
  3c6491b657ea4302d499b646f49189ed3bdc7f605ac33155f72d0408bda6f749a58eb932a7ac1c5c1ad11c0f7b49db761cdcd884b829bb2caaabdd2e03d75e3c
- SSDEEP
  
  3072:A77HUUUUUUUUUUUUUUUUUUUTkOQePu5U8q3DdUL3MsN0a:A77HUUUUUUUUUUUUUUUUUUUT52VkhUcW
Score

10^/10

emotet banker discovery execution trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

emotetbankerdiscoveryexecutiontrojan

behavioral2

emotetbankerexecutiontrojan