General
-
Target
SecuriteInfo.com.Exploit.Siggen2.12119.17670.7154
-
Size
174KB
-
Sample
200801-z83nrfvttn
-
MD5
1e522cb3efd6b827ac682b262c9e26a3
-
SHA1
d444e2e6ecf2f973e82c016dbbc6601d1b6c547c
-
SHA256
ea1d07ae55467195b610358c91f9d4cb4f280d055e9a86158339ca3bdba8ca15
-
SHA512
2e83b3f5120e4e719f37f24142863ec89c85578aaecf3684d1f7d4cf3bb238ab0fb405536b51d968320287ae8455b849811351b93c532e137e1b1da47437fadc
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Exploit.Siggen2.12119.17670.7154.doc
Resource
win7v200722
Malware Config
Extracted
http://www.librero.xyz/Scripts/3y_m0cbe_lpgoj7z/
https://scoenuganda.org/wp-admin/k_fhsvc_wni2zxzrc/
https://www.dunnriteplumbing.ca/wp-admin/12x_jaaq_o3/
http://www.najcosmetics.com/img/hvglv_hay_35sacodg/
http://www.oxahaus.com/wp-admin/d8teb_n0v0h_dm0uyok/
Extracted
emotet
Epoch2
142.105.151.124:443
62.108.54.22:8080
212.51.142.238:8080
71.208.216.10:80
108.48.41.69:80
83.110.223.58:443
210.165.156.91:80
104.131.44.150:8080
104.236.246.93:8080
5.39.91.110:7080
209.141.54.221:8080
209.182.216.177:443
153.126.210.205:7080
91.211.88.52:7080
180.92.239.110:8080
183.101.175.193:80
162.241.92.219:8080
87.106.139.101:8080
114.146.222.200:80
65.111.120.223:80
113.160.130.116:8443
190.160.53.126:80
62.75.141.82:80
46.105.131.87:80
203.153.216.189:7080
46.105.131.79:8080
91.231.166.124:8080
81.2.235.111:8080
189.212.199.126:443
95.9.185.228:443
169.239.182.217:8080
47.153.182.47:80
116.203.32.252:8080
139.130.242.43:80
75.139.38.211:80
41.60.200.34:80
47.144.21.12:443
103.86.49.11:8080
95.179.229.244:8080
173.91.22.41:80
70.167.215.250:8080
110.145.77.103:80
85.59.136.180:8080
5.196.74.210:8080
24.234.133.205:80
76.27.179.47:80
104.131.11.150:443
87.106.136.232:8080
61.19.246.238:443
201.173.217.124:443
176.111.60.55:8080
200.55.243.138:8080
74.208.45.104:8080
139.59.60.244:8080
67.241.24.163:8080
24.43.99.75:80
93.51.50.171:8080
109.74.5.95:8080
137.59.187.107:8080
37.139.21.175:8080
157.245.99.39:8080
124.45.106.173:443
47.146.117.214:80
95.213.236.64:8080
62.138.26.28:8080
190.55.181.54:443
24.179.13.119:80
152.168.248.128:443
222.214.218.37:4143
168.235.67.138:7080
181.230.116.163:80
121.124.124.40:7080
79.98.24.39:8080
37.187.72.193:8080
162.154.38.103:80
78.24.219.147:8080
200.41.121.90:80
185.94.252.104:443
50.116.86.205:8080
Targets
-
-
Target
SecuriteInfo.com.Exploit.Siggen2.12119.17670.7154
-
Size
174KB
-
MD5
1e522cb3efd6b827ac682b262c9e26a3
-
SHA1
d444e2e6ecf2f973e82c016dbbc6601d1b6c547c
-
SHA256
ea1d07ae55467195b610358c91f9d4cb4f280d055e9a86158339ca3bdba8ca15
-
SHA512
2e83b3f5120e4e719f37f24142863ec89c85578aaecf3684d1f7d4cf3bb238ab0fb405536b51d968320287ae8455b849811351b93c532e137e1b1da47437fadc
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Emotet Payload
Detects Emotet payload in memory.
-
Blacklisted process makes network request
-
Executes dropped EXE
-
Drops file in System32 directory
-