Overview

overview

10

Static

static

8

SecuriteIn...11.doc

windows7_x64

10

SecuriteIn...11.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SecuriteInfo.com.Exploit.Siggen2.12917.8592.9111

  • Size

    175KB

  • Sample

    200801-x86th5ble2

  • MD5

    84b4a3bdfd680dc3fde940f31a74dc97

  • SHA1

    e0ca5c78044b5feee5e67dc4e74a7420d5705f05

  • SHA256

    501948f523c9bce4662fe102da5d632e953fccc2f521565eabc8f424297a4f1f

  • SHA512

    fbeac6eb5aefb96957026ffd95368ce9c6d7822dec96eb391983807d69a045d90c24bec19a3347f50626a669d4729033bafe0036b92e64152b71edeb251a67e8

Score
10/10
emotetepoch1bankermacrotrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://jkncrew.com/cgi-bin/KhSO16ZAAf/
exe.dropper

http://jmlandscapingservice.com/content/fhGAfKs/
exe.dropper

http://jimlowry.com/dlqCTc01p/
exe.dropper

http://www.lesliemontenegro.com/wp-includes/I1hHqDE6/
exe.dropper

http://johnkeanestudios.com/r00t/vAWElRm/

Extracted

Family

emotet

Botnet

Epoch1

C2

73.116.193.136:80

185.94.252.13:443

149.62.173.247:8080

89.32.150.160:8080

185.94.252.12:80

77.90.136.129:8080

83.169.21.32:7080

104.236.161.64:8080

114.109.179.60:80

189.2.177.210:443

68.183.190.199:8080

144.139.91.187:443

185.94.252.27:443

190.181.235.46:80

82.196.15.205:8080

46.28.111.142:7080

181.167.96.215:80

202.62.39.111:80

219.92.13.25:80

191.99.160.58:80
rsa_pubkey.plain

Targets

    • Target

      SecuriteInfo.com.Exploit.Siggen2.12917.8592.9111

    • Size

      175KB

    • MD5

      84b4a3bdfd680dc3fde940f31a74dc97

    • SHA1

      e0ca5c78044b5feee5e67dc4e74a7420d5705f05

    • SHA256

      501948f523c9bce4662fe102da5d632e953fccc2f521565eabc8f424297a4f1f

    • SHA512

      fbeac6eb5aefb96957026ffd95368ce9c6d7822dec96eb391983807d69a045d90c24bec19a3347f50626a669d4729033bafe0036b92e64152b71edeb251a67e8

    Score
    10/10
    trojanbankeremotet

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Emotet Payload

      Detects Emotet payload in memory.

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks