General

  • Target

    SecuriteInfo.com.Exploit.Siggen2.12932.19584.10385

  • Size

    169KB

  • Sample

    200801-dhxs7rjnw2

  • MD5

    ad4dab090e9db1de2ce2972440becfa5

  • SHA1

    f5bce1285800898458044ff22dd93e5795a5e92e

  • SHA256

    58c574f8ab938e878c2d66861aa38821876dcb5a156c46ac9985a8b59f97bb8c

  • SHA512

    87f4d9f18704cdfa8ff11610ef5ed945cb2b68a9c48ccebea363b29b10d1d8f8ecc0ffe4d13c3856c9be6ed6e9d811d7da3d0b613f7b06a4ef56f4eb4d3c96ce

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://mktf.mx/wp-includes/nf_p0w_z87k/

exe.dropper

http://dragonfang.com/nav/pu_4cz89_3e81ooa90c/

exe.dropper

http://maxiquim.cl/cgi-bin/qa0_i_qzk/

exe.dropper

https://www.planetkram.com/egherdbaseball/z_xu00_9hbk939elw/

exe.dropper

http://meulocal.com.br/suspend-page/0e_wt5bq_ekn/

Extracted

Family

emotet

Botnet

Epoch2

C2

142.105.151.124:443

62.108.54.22:8080

212.51.142.238:8080

71.208.216.10:80

108.48.41.69:80

83.110.223.58:443

210.165.156.91:80

104.131.44.150:8080

104.236.246.93:8080

5.39.91.110:7080

209.141.54.221:8080

209.182.216.177:443

153.126.210.205:7080

91.211.88.52:7080

180.92.239.110:8080

183.101.175.193:80

162.241.92.219:8080

87.106.139.101:8080

114.146.222.200:80

65.111.120.223:80

rsa_pubkey.plain

Targets

    • Target

      SecuriteInfo.com.Exploit.Siggen2.12932.19584.10385

    • Size

      169KB

    • MD5

      ad4dab090e9db1de2ce2972440becfa5

    • SHA1

      f5bce1285800898458044ff22dd93e5795a5e92e

    • SHA256

      58c574f8ab938e878c2d66861aa38821876dcb5a156c46ac9985a8b59f97bb8c

    • SHA512

      87f4d9f18704cdfa8ff11610ef5ed945cb2b68a9c48ccebea363b29b10d1d8f8ecc0ffe4d13c3856c9be6ed6e9d811d7da3d0b613f7b06a4ef56f4eb4d3c96ce

    Score
    10/10
    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Emotet Payload

      Detects Emotet payload in memory.

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks