General

  • Target

    SecuriteInfo.com.Exploit.Siggen2.12178.18639.4466

  • Size

    174KB

  • Sample

    200801-kdrffjc3d6

  • MD5

    d9115c6d9e1318028e66ea6d87a71ae1

  • SHA1

    0d3822ca70938c790bd191c1b4a18dda93199a28

  • SHA256

    daa02c094f479a12e59e5f5bdc4a4dfe14f22d92f78453d27382132b41bab40b

  • SHA512

    12e4e493b4e748890018d34bbe42fd933b9ea06b7a1ae07ab96cc59e8754c658e6003fdba47404a8c8892947b5c851d1e650f496e04cc4f12fda3a5e4e57f9ec

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://www.librero.xyz/Scripts/3y_m0cbe_lpgoj7z/

exe.dropper

https://scoenuganda.org/wp-admin/k_fhsvc_wni2zxzrc/

exe.dropper

https://www.dunnriteplumbing.ca/wp-admin/12x_jaaq_o3/

exe.dropper

http://www.najcosmetics.com/img/hvglv_hay_35sacodg/

exe.dropper

http://www.oxahaus.com/wp-admin/d8teb_n0v0h_dm0uyok/

Extracted

Family

emotet

Botnet

Epoch2

C2

142.105.151.124:443

62.108.54.22:8080

212.51.142.238:8080

71.208.216.10:80

108.48.41.69:80

83.110.223.58:443

210.165.156.91:80

104.131.44.150:8080

104.236.246.93:8080

5.39.91.110:7080

209.141.54.221:8080

209.182.216.177:443

153.126.210.205:7080

91.211.88.52:7080

180.92.239.110:8080

183.101.175.193:80

162.241.92.219:8080

87.106.139.101:8080

114.146.222.200:80

65.111.120.223:80

rsa_pubkey.plain

Targets

    • Target

      SecuriteInfo.com.Exploit.Siggen2.12178.18639.4466

    • Size

      174KB

    • MD5

      d9115c6d9e1318028e66ea6d87a71ae1

    • SHA1

      0d3822ca70938c790bd191c1b4a18dda93199a28

    • SHA256

      daa02c094f479a12e59e5f5bdc4a4dfe14f22d92f78453d27382132b41bab40b

    • SHA512

      12e4e493b4e748890018d34bbe42fd933b9ea06b7a1ae07ab96cc59e8754c658e6003fdba47404a8c8892947b5c851d1e650f496e04cc4f12fda3a5e4e57f9ec

    Score
    10/10
    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Emotet Payload

      Detects Emotet payload in memory.

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks