Overview

overview

10

Static

static

8

SecuriteIn...10.doc

windows7_x64

10

SecuriteIn...10.doc

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SecuriteInfo.com.Exploit.Siggen2.11929.5227.9410

  • Size

    168KB

  • Sample

    200801-2dp52555en

  • MD5

    9818d6a4e594ec8dff03c6fd4115d3fc

  • SHA1

    a0914b69782965ba17fbdf6a26f3a261d368e60e

  • SHA256

    b788c3eb69332103a2934da12e1a1675bdda621b08a33cd5f6dca0c6980c18c3

  • SHA512

    caccb715aaa2ddadf315f7ec072f898fcd05cd257580c359d41162eeedfeef1d50fb2b5c89a749ad39f4f325e1b66c03a4321652a3bd02b7f1c11293cf57a5ee

Score
10/10
emotetepoch3bankermacrotrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://yeichner.com/old/iyv0hf8926444/
exe.dropper

http://ensource.co.uk/EAYO10088k/32eMeaoiq7963578/
exe.dropper

http://withdrake.com/stacymgreen/etqjdgf4343351/
exe.dropper

http://spitzertech.net/wp-content/D9pmd93694/
exe.dropper

http://www.giardinosullamaremma.it/wp-content/MnICFTr/

Extracted

Family

emotet

Botnet

Epoch3

C2

201.235.10.215:80

198.57.203.63:8080

163.172.107.70:8080

172.105.78.244:8080

107.161.30.122:8080

203.153.216.182:7080

37.46.129.215:8080

201.214.108.231:80

178.33.167.120:8080

181.113.229.139:443

192.210.217.94:8080

24.157.25.203:80

94.96.60.191:80

157.7.164.178:8081

75.127.14.170:8080

189.146.1.78:443

190.164.75.175:80

192.241.220.183:8080

190.55.233.156:80

91.83.93.103:443
rsa_pubkey.plain

Targets

    • Target

      SecuriteInfo.com.Exploit.Siggen2.11929.5227.9410

    • Size

      168KB

    • MD5

      9818d6a4e594ec8dff03c6fd4115d3fc

    • SHA1

      a0914b69782965ba17fbdf6a26f3a261d368e60e

    • SHA256

      b788c3eb69332103a2934da12e1a1675bdda621b08a33cd5f6dca0c6980c18c3

    • SHA512

      caccb715aaa2ddadf315f7ec072f898fcd05cd257580c359d41162eeedfeef1d50fb2b5c89a749ad39f4f325e1b66c03a4321652a3bd02b7f1c11293cf57a5ee

    Score
    10/10
    trojanbankeremotet

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Emotet Payload

      Detects Emotet payload in memory.

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks