Overview

overview

10

Static

static

8

SecuriteIn...52.doc

windows7_x64

10

SecuriteIn...52.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SecuriteInfo.com.Exploit.Siggen2.12924.1168.4752

  • Size

    173KB

  • Sample

    200801-eclzez2tj2

  • MD5

    8926558472c411e95e18b57c17b6c8d9

  • SHA1

    b5461e95c29e6e38b242ecf5ff10c6883f41371b

  • SHA256

    b920bae96043cfc55017d7a67bb6c5caac098cfce2620c6348e63cf4f7842378

  • SHA512

    6b93474601d89a01b2974f4d3596c387725f011f37dabcd074d9cd2e1a072e8510ea961b9ad08b2c41f0565fa6e09eeb51a3a4af45e8151ccf202d9af80eafd4

Score
10/10
emotetepoch2bankermacrotrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://www.ifitmoves.net/option-tree/age9k_r7p_0l2/
exe.dropper

http://goldenstatetow.com/peradice.com/jk_le4_xip2a7s6/
exe.dropper

http://philosopherswheel.com/mizeo9/y_6pth_ymkgef/
exe.dropper

http://highlevelphoto.co.uk/Clients/7uf_yp_76rqsyz/
exe.dropper

http://klem.com.pl/tester/ntts3_j_3cgou2/

Extracted

Family

emotet

Botnet

Epoch2

C2

142.105.151.124:443

62.108.54.22:8080

212.51.142.238:8080

71.208.216.10:80

108.48.41.69:80

83.110.223.58:443

210.165.156.91:80

104.131.44.150:8080

104.236.246.93:8080

5.39.91.110:7080

209.141.54.221:8080

209.182.216.177:443

153.126.210.205:7080

91.211.88.52:7080

180.92.239.110:8080

183.101.175.193:80

162.241.92.219:8080

87.106.139.101:8080

114.146.222.200:80

65.111.120.223:80
rsa_pubkey.plain

Targets

    • Target

      SecuriteInfo.com.Exploit.Siggen2.12924.1168.4752

    • Size

      173KB

    • MD5

      8926558472c411e95e18b57c17b6c8d9

    • SHA1

      b5461e95c29e6e38b242ecf5ff10c6883f41371b

    • SHA256

      b920bae96043cfc55017d7a67bb6c5caac098cfce2620c6348e63cf4f7842378

    • SHA512

      6b93474601d89a01b2974f4d3596c387725f011f37dabcd074d9cd2e1a072e8510ea961b9ad08b2c41f0565fa6e09eeb51a3a4af45e8151ccf202d9af80eafd4

    Score
    10/10
    trojanbankeremotet

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Emotet Payload

      Detects Emotet payload in memory.

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks