Overview

overview

10

Static

static

3

2025-02-13...id.exe

windows7-x64

10

2025-02-13...id.exe

windows10-2004-x64

10

Resubmissions

16/02/2025, 02:17

250216-cq22caxmex 10

13/02/2025, 13:55

250213-q77vtayret 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2025-02-13_90fed2855f0003495ff60d47ddad14a8_icedid

  • Size

    456KB

  • Sample

    250213-q77vtayret

  • MD5

    90fed2855f0003495ff60d47ddad14a8

  • SHA1

    c5963014a06d55ab68ee393c0fd255fe9244d3b0

  • SHA256

    4e8029a6c642310474a2baf6a1b0f655856ca39c5b944247435c0ee6daf16c8f

  • SHA512

    8290dd62e2c79e5e6d848633fd2cdf73940f27e71e0c4d8e16588d67f82c9f7945f24f1898a27d9e2e04afe2a2319d52497e66b4aa8ac0e2979af450a2238f9a

  • SSDEEP

    12288:sH9tNCsqbIoCyJgllh/krhMQUqKsRR2B9:ytEfbjJglvqyB9

Score
10/10
emotetepoch1adwarebankerdiscoverypersistenceprivilege_escalationstealertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

C2

24.249.135.121:80

185.94.252.13:443

149.62.173.247:8080

50.28.51.143:8080

80.249.176.206:80

5.196.35.138:7080

190.17.195.202:80

143.0.87.101:80

190.147.137.153:443

181.30.69.50:80

51.255.165.160:8080

190.96.118.251:443

72.47.248.48:7080

178.79.163.131:8080

212.231.60.98:80

187.162.248.237:80

2.47.112.152:80

68.183.190.199:8080

192.241.143.52:8080

77.55.211.77:8080
rsa_pubkey.plain

Targets

    • Target

      2025-02-13_90fed2855f0003495ff60d47ddad14a8_icedid

    • Size

      456KB

    • MD5

      90fed2855f0003495ff60d47ddad14a8

    • SHA1

      c5963014a06d55ab68ee393c0fd255fe9244d3b0

    • SHA256

      4e8029a6c642310474a2baf6a1b0f655856ca39c5b944247435c0ee6daf16c8f

    • SHA512

      8290dd62e2c79e5e6d848633fd2cdf73940f27e71e0c4d8e16588d67f82c9f7945f24f1898a27d9e2e04afe2a2319d52497e66b4aa8ac0e2979af450a2238f9a

    • SSDEEP

      12288:sH9tNCsqbIoCyJgllh/krhMQUqKsRR2B9:ytEfbjJglvqyB9

    Score
    10/10
    emotetepoch1bankerdiscoverytrojanadwarepersistenceprivilege_escalationstealer

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Emotet family

      emotet

    • Emotet payload

      Detects Emotet payload in memory.

      trojanbanker

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Downloads MZ/PE file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks