General

  • Target

    SecuriteInfo.com.VBA.Heur.LEmoDldr.1.Gen.26108.14212

  • Size

    173KB

  • Sample

    200801-5avnaw9jzs

  • MD5

    4f22560ef839a2cbdf19881d01eafda9

  • SHA1

    66320a7f198cad4284e7dd72f3e4457fc60a58f1

  • SHA256

    1c8026d6bd75a1ea091d6a6676d3a7e3bcba3b17717e21607488b9fdb762fba7

  • SHA512

    1b9c246db3122b73ec45b9c420bea58cd7a8664c155d9ad511a31d759d786145b53a0f47af7683f49f126be44f91139a0a3d33bd69a605df3f15315cad417fce

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://sparkcreativeworks.com/spark/QoZqtWjUs/

exe.dropper

https://quickwood.com/wp-content/kiw586pbrk520193/

exe.dropper

http://thehenkins.com/cgi-bin/qlGK8wk6ll1458113/

exe.dropper

http://bangkokglass.com/wp-admin/XPfdRq/

exe.dropper

http://blscomputerworks.com/journal/nkk7135571/

Extracted

Family

emotet

Botnet

Epoch3

C2

187.64.128.197:80

198.57.203.63:8080

163.172.107.70:8080

212.112.113.235:80

157.7.164.178:8081

181.167.35.84:80

212.156.133.218:80

185.142.236.163:443

181.143.101.19:8080

75.127.14.170:8080

115.165.3.213:80

190.55.233.156:80

139.59.12.63:8080

144.139.91.187:80

37.70.131.107:80

181.113.229.139:443

41.185.29.128:8080

177.37.81.212:443

5.79.70.250:8080

78.188.170.128:80

rsa_pubkey.plain

Targets

    • Target

      SecuriteInfo.com.VBA.Heur.LEmoDldr.1.Gen.26108.14212

    • Size

      173KB

    • MD5

      4f22560ef839a2cbdf19881d01eafda9

    • SHA1

      66320a7f198cad4284e7dd72f3e4457fc60a58f1

    • SHA256

      1c8026d6bd75a1ea091d6a6676d3a7e3bcba3b17717e21607488b9fdb762fba7

    • SHA512

      1b9c246db3122b73ec45b9c420bea58cd7a8664c155d9ad511a31d759d786145b53a0f47af7683f49f126be44f91139a0a3d33bd69a605df3f15315cad417fce

    Score
    10/10
    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Emotet Payload

      Detects Emotet payload in memory.

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks