{ "Event": { "analysis": "2", "date": "2022-02-13", "extends_uuid": "", "info": "[Threat Intel] Technical Malware Analysis: The return of Emotet", "protected": false, "publish_timestamp": "1772902005", "published": true, "threat_level_id": "3", "timestamp": "1772902005", "uuid": "fea7d515-1deb-4f0e-bc34-4bb69c9e954d", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#915448", "local": false, "name": "misp-galaxy:target-information=\"Malaysia\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Emotet\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#dd2e44", "local": false, "name": "rectifyq:MY-relevancy=\"relevant\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740750313", "to_ids": false, "type": "link", "uuid": "3d23dc01-05d8-4a59-becf-6e8202051903", "value": "https://notes.netbytesec.com/2022/02/technical-malware-analysis-return-of.html", "Tag": [ { "colour": "#6b003a", "local": false, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1746981180", "to_ids": true, "type": "ip-dst", "uuid": "fce20caa-05dd-4e39-a3b3-a569205451f6", "value": "91.240.118.168", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "On port 8080", "deleted": false, "disable_correlation": false, "timestamp": "1740750170", "to_ids": true, "type": "ip-dst|port", "uuid": "f9880263-64d7-44b5-84be-3739e0da1db9", "value": "159.69.43.124|8080" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1746981201", "to_ids": true, "type": "ip-dst", "uuid": "33e72b64-bd6b-4e9f-9861-ec23c9b8b4eb", "value": "45.79.80.198", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1746981222", "to_ids": true, "type": "url", "uuid": "4d337e48-3751-4c97-86bf-f1340076cdf1", "value": "http://91.240.118.168/oo/aa/se.html", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1746981243", "to_ids": true, "type": "url", "uuid": "c0c19dad-e144-45b1-839c-542a1b338a7f", "value": "http://91.240.118.168/oo/aa/se.png", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1746981264", "to_ids": true, "type": "url", "uuid": "f72709da-900a-49c3-8f40-9765de43e3e7", "value": "http://farmmash.com/edh2fa/g2Q7Qbgs/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1746981285", "to_ids": true, "type": "url", "uuid": "2bf612e7-e411-46f4-aad3-5915235b62fb", "value": "http://karensgardentips.com/cgi-bin/hfpv/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1746981307", "to_ids": true, "type": "url", "uuid": "3cfa0ecb-1ed7-46cd-b5aa-d5040c44c926", "value": "http://centrobilinguelospinos.com/wp-admin/w8528qkQnMPLDUc/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1746981328", "to_ids": true, "type": "url", "uuid": "993da143-87eb-45f9-888a-4202283e9f50", "value": "http://unitedhorus.com/wp-content/m3oxVSV2uYW2rbh/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1746981349", "to_ids": true, "type": "url", "uuid": "b1d69e30-a071-476a-984a-432e6b8a89ca", "value": "http://vldispatch.com/licenses/JE6Ol2dfhrk/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1746981370", "to_ids": true, "type": "url", "uuid": "73628585-f5ad-49af-94a7-3f03fad53b21", "value": "http://il-piccolo-principe.com/wp-content/Ua9GvD7acXnDz/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1746981391", "to_ids": true, "type": "url", "uuid": "54e983a3-0859-4a3c-915c-507decde5e3e", "value": "http://hardstonecap.com/well-known/ps9kNMgc6/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1746981412", "to_ids": true, "type": "url", "uuid": "758a0fcd-87a7-4035-8480-2363642ce279", "value": "http://3-fasen.com/wp-content/3Bl0hBbW/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1746981434", "to_ids": true, "type": "url", "uuid": "50ee62f1-c07f-4673-aee4-5a59b741016f", "value": "http://baldcover.com/wp-admin/oRwkRUWpbJ55/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:09/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746790101", "to_ids": true, "type": "md5", "uuid": "150a6c6f-0325-42cd-b478-160cf5a3cf86", "value": "25995b47257212e2e3ca5f7704c9e830", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "The attachment is encrypted with the given password \"1843\"", "deleted": false, "disable_correlation": false, "timestamp": "1746979167", "to_ids": false, "type": "text", "uuid": "f9ac1575-143c-4b4c-a826-9e3144f9c500", "value": "1843" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746981455", "uuid": "21f2a448-3bdb-432c-8048-a7773c82720c", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746981455", "to_ids": true, "type": "md5", "uuid": "c2bf05e8-2c3d-42b8-a714-caebac42b492", "value": "63f0672552a000605e99190036e9676f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746748131", "to_ids": true, "type": "sha1", "uuid": "9b7cb0b9-7b23-495b-aeb9-c52368c21146", "value": "b921a2f314b99656ca851fdeed9463be8dc767c2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746748132", "to_ids": true, "type": "sha256", "uuid": "f196a2fb-beea-4fed-a54b-2ac27965c28b", "value": "c6937ae1e2fcf8815d8eaae0708b5bb3d4466a9e2f5673b2d280379408a238ad", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746748131", "to_ids": true, "type": "ssdeep", "uuid": "aa286f8d-bfbe-40cd-8561-5180d46ada19", "value": "24:F0YpUC38DTKfIDhnKlioa9mT+wxXUZFQZRvyonEZry8Wfl0M2ou0Jh:ZqBtS+r2ugycEZm8Wdbprh" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746748131", "to_ids": false, "type": "size-in-bytes", "uuid": "cfc63501-ad78-4b57-86cc-547862a742e1", "value": "1181" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746748131", "to_ids": true, "type": "vhash", "uuid": "7a48b49e-c9d4-4a6b-ad5c-20c1be14e1b7", "value": "a5ede35b67b67e78b7bc22a72d9cde1a" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746748131", "to_ids": true, "type": "filename", "uuid": "cecf1387-12cb-4357-a3dc-874d806e822d", "value": "se.png" }, { "category": "Other", "comment": "Checked: 09/05/2025\nLast-scan\t: 24/02/2022", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746748131", "to_ids": false, "type": "text", "uuid": "35d5fc66-294c-4a8e-a502-5b3ceaed70a6", "value": "Type Description: Powershell\nMicrosoft: n/a\nVT Total Detection:7/55\nFirst Submission:2022-01-27T22:00:09.000000+00:00\nLast Submission:2022-01-27T22:00:09.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746981476", "uuid": "a6a4ade7-8fe8-4953-896b-c0448ca5b8be", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746981476", "to_ids": true, "type": "md5", "uuid": "002955a0-e033-47ba-8c12-1a74be5a8a65", "value": "74bb69b8ba9d2b649f4de5adb2cf06d9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746748153", "to_ids": true, "type": "sha1", "uuid": "93cd5607-15bc-4060-93eb-9e87e95aafe6", "value": "f56eddcac137aca207d50e6c482cdc1256549175", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746748153", "to_ids": true, "type": "sha256", "uuid": "26983dce-d670-4299-bd42-4f9ac9d0893d", "value": "cb97dbd398a1ae9bb7004d01cf98c66014eb75e5dbe816fe63f3d9b08eb52631", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746748152", "to_ids": true, "type": "ssdeep", "uuid": "a8d665f4-0ac2-47a5-b1a4-12b3dede7096", "value": "12288:G5Yfb6SGkFIPbKq1r26lQ6DraMA0ZaC87:GK21kFIPT26tD2MD" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746748152", "to_ids": false, "type": "size-in-bytes", "uuid": "30e7ade6-0070-4005-8fba-63c41053c7fe", "value": "559104" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746748152", "to_ids": true, "type": "vhash", "uuid": "5a9d56ee-fc05-4146-a22b-b03f0ab0fe4b", "value": "155056655d157510901010021z897zf0d7z4007bez1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746748152", "to_ids": true, "type": "filename", "uuid": "be5970b3-b57e-42a2-be4e-8c319ce24ace", "value": "FinalChatSocketCli.exe" }, { "category": "Other", "comment": "Checked: 09/05/2025\nLast-scan\t: 17/02/2022", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746748152", "to_ids": false, "type": "text", "uuid": "fc24e1b0-abc1-453a-9eb6-a331d30199b7", "value": "Type Description: Win32 DLL\nMicrosoft: Trojan:Win32/Emotet.MA!MTB\nVT Total Detection:49/69\nFirst Submission:2022-01-31T09:52:32.000000+00:00\nLast Submission:2022-01-31T09:52:32.000000+00:00" } ] } ] } }