General

  • Target

    SecuriteInfo.com.Exploit.Siggen2.13453.26357.1579

  • Size

    172KB

  • Sample

    200802-v44v9b2z52

  • MD5

    16e9fe73dc1912df3dfe97c844806925

  • SHA1

    cd0bb07f694c9a03cd08552322fe7e6e4c15f4ea

  • SHA256

    41fe7adf7807de60a91dea01796332752f93281e218123f39fa550d31aa15d13

  • SHA512

    355721a10b1a48a7de2e35e2b1eabc1d07a00aaf91561c9df205cd4da7e5f3baaf14c5c1977d419353a62442438f400654d121d8740c1fca1f320f9d61536f87

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://muliarental.com/wp-includes/uwr_u4_ed3qzbb/

exe.dropper

http://ltrybus.com/cgi-bin/mff_xao9d_5ld5qajfmx/

exe.dropper

http://my6thgen.org/_db_backups/t_e_v7qizcr2/

exe.dropper

http://mywebnerd.com/bluesforsale/zi6_v4g0_rmyg/

exe.dropper

http://www.naayers.org/Library/o_eo_97ml/

Extracted

Family

emotet

Botnet

Epoch2

C2

142.105.151.124:443

62.108.54.22:8080

212.51.142.238:8080

71.208.216.10:80

108.48.41.69:80

83.110.223.58:443

210.165.156.91:80

104.131.44.150:8080

104.236.246.93:8080

5.39.91.110:7080

209.141.54.221:8080

209.182.216.177:443

153.126.210.205:7080

91.211.88.52:7080

180.92.239.110:8080

183.101.175.193:80

162.241.92.219:8080

87.106.139.101:8080

114.146.222.200:80

65.111.120.223:80

rsa_pubkey.plain

Targets

    • Target

      SecuriteInfo.com.Exploit.Siggen2.13453.26357.1579

    • Size

      172KB

    • MD5

      16e9fe73dc1912df3dfe97c844806925

    • SHA1

      cd0bb07f694c9a03cd08552322fe7e6e4c15f4ea

    • SHA256

      41fe7adf7807de60a91dea01796332752f93281e218123f39fa550d31aa15d13

    • SHA512

      355721a10b1a48a7de2e35e2b1eabc1d07a00aaf91561c9df205cd4da7e5f3baaf14c5c1977d419353a62442438f400654d121d8740c1fca1f320f9d61536f87

    Score
    10/10
    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Emotet Payload

      Detects Emotet payload in memory.

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks