Overview

overview

10

Static

static

8

Form - Jul...20.doc

windows7_x64

10

Form - Jul...20.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Form - Jul 31, 2020.doc

  • Size

    169KB

  • Sample

    200731-bb6jg4hf4x

  • MD5

    8864657efd01dce67c963db119a86048

  • SHA1

    a5365413843d4184386432313b328a2e530bdc5a

  • SHA256

    836e0e9799a0302b3e3c5d6a9339af1d93ba2518ee7801b021e5c30e5fd0b418

  • SHA512

    8aa7198880fb5de3344be76e930ac1c59a1d2904a76ac3b1450c277920645e0fb335152e66aef64224c64bc981a22b596a8838157b7c187fff05c417055c5734

Score
10/10
emotetepoch2bankermacrotrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://mktf.mx/wp-includes/nf_p0w_z87k/
exe.dropper

http://dragonfang.com/nav/pu_4cz89_3e81ooa90c/
exe.dropper

http://maxiquim.cl/cgi-bin/qa0_i_qzk/
exe.dropper

https://www.planetkram.com/egherdbaseball/z_xu00_9hbk939elw/
exe.dropper

http://meulocal.com.br/suspend-page/0e_wt5bq_ekn/

Extracted

Family

emotet

Botnet

Epoch2

C2

47.146.117.214:80

62.108.54.22:8080

212.51.142.238:8080

190.160.53.126:80

87.106.136.232:8080

74.208.45.104:8080

121.124.124.40:7080

124.45.106.173:443

76.27.179.47:80

210.165.156.91:80

61.19.246.238:443

81.2.235.111:8080

169.239.182.217:8080

181.230.116.163:80

139.130.242.43:80

46.105.131.87:80

139.59.60.244:8080

222.214.218.37:4143

41.60.200.34:80

200.55.243.138:8080
rsa_pubkey.plain

Targets

    • Target

      Form - Jul 31, 2020.doc

    • Size

      169KB

    • MD5

      8864657efd01dce67c963db119a86048

    • SHA1

      a5365413843d4184386432313b328a2e530bdc5a

    • SHA256

      836e0e9799a0302b3e3c5d6a9339af1d93ba2518ee7801b021e5c30e5fd0b418

    • SHA512

      8aa7198880fb5de3344be76e930ac1c59a1d2904a76ac3b1450c277920645e0fb335152e66aef64224c64bc981a22b596a8838157b7c187fff05c417055c5734

    Score
    10/10
    trojanbankeremotet

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Emotet Payload

      Detects Emotet payload in memory.

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks