General

  • Target

    64834feccfe3b4476d521f4fe089f11cd4ed5dbcf0d8f6d42cdf4b3a26a51f6f

  • Size

    552KB

  • Sample

    191212-bp6f1zjvla

  • MD5

    9360dea7497560c5f682d01ed66e501e

  • SHA1

    da68d5de1759276099c3c3c7e3c70232db528885

  • SHA256

    64834feccfe3b4476d521f4fe089f11cd4ed5dbcf0d8f6d42cdf4b3a26a51f6f

  • SHA512

    22428221dd1dfa565454055e77eead7b8298603751f59bdc722cd0178ede13f25115bbbc8f7083331a48d0f7c8d9ee5aa8e9f016a7b7101f6c570bb089277bd7

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

C2

91.74.175.46:80

96.38.234.10:80

71.76.45.83:443

96.126.121.64:443

104.236.137.72:8080

85.234.143.94:8080

80.85.87.122:8080

130.45.45.31:80

62.75.143.100:7080

142.93.114.137:8080

79.7.114.1:80

134.209.214.126:8080

68.183.190.199:8080

139.162.118.88:8080

212.71.237.140:8080

46.28.111.142:7080

181.231.62.54:80

200.124.225.32:80

73.167.135.180:80

200.119.11.118:443

rsa_pubkey.plain

Targets

    • Target

      64834feccfe3b4476d521f4fe089f11cd4ed5dbcf0d8f6d42cdf4b3a26a51f6f

    • Size

      552KB

    • MD5

      9360dea7497560c5f682d01ed66e501e

    • SHA1

      da68d5de1759276099c3c3c7e3c70232db528885

    • SHA256

      64834feccfe3b4476d521f4fe089f11cd4ed5dbcf0d8f6d42cdf4b3a26a51f6f

    • SHA512

      22428221dd1dfa565454055e77eead7b8298603751f59bdc722cd0178ede13f25115bbbc8f7083331a48d0f7c8d9ee5aa8e9f016a7b7101f6c570bb089277bd7

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails

    • Windows security modification

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Disabling Security Tools

1
T1089

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Tasks