Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #Emotet #Epoch4 #Macro #regsvr32 #DLL
- https://pastebin.com/1JJn2r3A
- previous_contact:
- 22/06/22 https://pastebin.com/c5yna1SU
- 20/01/21 https://pastebin.com/NFRmXi7k
- FAQ:
- https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet
- attack_vector
- --------------
- email attach .zip > .doc > VBA macro > GET .zip (DLL) > regsvr32.exe %userprofile%\AppData\Local\*\*.dll
- # # # # # # # #
- email_headers
- # # # # # # # #
- Return-Path: <ejaya@saptabuanalogistic.com>
- Received: from srv32.niagahoster.com ([153.92.8.151])
- Received: from mailnull by srv32.niagahoster.com with spam-scanner (Exim 4.95)
- Received: from [92.55.176.61] (port=21191 helo=[127.0.0.1])
- Date: Tue, 07 Mar 2023 21:33:52 +0600
- Message-ID: <ecf1ea3e-5935-44ad-63b4-1c68364829c6@saptabuanalogistic.com>
- From: Мазур Наталя <ejaya@saptabuanalogistic.com>
- Subject: Re:
- # # # # # # # #
- files
- # # # # # # # #
- SHA-256 3cba539b2f619051b1a5a884a359d2cf73dd3f1d001576a9f24d92ff56749ffc
- File name 1009826244896753565.zip [Zip archive data, at least v?[0x314] to extract]
- File size 664 Kb
- SHA-256 28d5d3f037898f43263f487ba43b1c80eab715749a743bd4ef280682a98ff74e
- File name form.doc [Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252]
- File size 544 Mb (!)
- SHA-256 c59f87a625325515f37ed7d2381b4fcc33233d50eb19992b203c4b205869434c
- File name ?090341 [Zip archive data, at least v2.0 to extract]
- File size 868 Kb
- SHA-256 534a5e2bdfdba8041ca3f218b35d35c6f70fef6db7e1b97e9f598a44706f2960
- File name HiJwdAwnc6WqcdSUTrTBj.dll [PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows]
- File size 519 Mb (!)
- # # # # # # # #
- activity
- # # # # # # # #
- PL_SCR mtp.evotek.vn/wp-content/L/?090341
- C2 104.168.155.143:8080
- 91.207.28.33:8080
- 72.15.201.15:8080
- 183.111.227.137:8080
- other possible (from config)
- --------------
- 129.232.188.93:443
- 164.90.222.65:443
- 159.65.88.10:8080
- 172.105.226.75:8080
- 115.68.227.76:8080
- 187.63.160.88:80
- 169.57.156.166:8080
- 185.4.135.165:8080
- 153.126.146.25:7080
- 197.242.150.244:8080
- 139.59.126.41:443
- 186.194.240.217:443
- 103.132.242.26:8080
- 206.189.28.199:8080
- 163.44.196.120:8080
- 95.217.221.146:8080
- 159.89.202.34:443
- 119.59.103.152:8080
- 183.111.227.137:8080
- 201.94.166.162:443
- 103.75.201.2:443
- 149.56.131.28:8080
- 79.137.35.198:8080
- 5.135.159.50:443
- 66.228.32.31:7080
- 91.121.146.47:8080
- 153.92.5.27:8080
- 45.235.8.30:8080
- 72.15.201.15:8080
- 107.170.39.149:8080
- 45.176.232.124:443
- 82.223.21.224:8080
- 167.172.199.165:8080
- 213.239.212.5:443
- 202.129.205.3:8080
- 94.23.45.86:4143
- 147.139.166.154:8080
- 167.172.253.162:8080
- 91.207.28.33:8080
- 188.44.20.25:443
- 104.168.155.143:8080
- 110.232.117.186:8080
- 164.68.99.3:8080
- 1.234.2.232:8080
- 173.212.193.249:8080
- 182.162.143.56:443
- 160.16.142.56:8080
- 101.50.0.91:8080
- 103.43.75.120:443
- netwrk
- --------------
- 203.26.41.132 443 TCP 49610 → 443 [SYN]
- 101.99.3.20 mtp.evotek.vn 80 HTTP GET /wp-content/L/?090341 HTTP/1.1 Mozilla/4.0
- 91.121.146.47 8080 TCP 49613 → 8080 [SYN]
- 66.228.32.31 7080 TCP 49615 → 7080 [SYN]
- 182.162.143.56 443 TCP 49617 → 443 [SYN]
- 167.172.199.165 8080 TCP 49621 → 8080 [SYN]
- 164.90.222.65 443 TLSv1 Client Hello
- 104.168.155.143 8080 TCP 49625 → 8080 [SYN]
- 91.207.28.33 8080 TCP 49627 → 8080 [SYN]
- 72.15.201.15 8080 TCP 49628 → 8080 [SYN]
- 183.111.227.137 8080 TCP 49629 → 8080 [SYN]
- . . .
- comp
- --------------
- WINWORD.EXE 49610 203.26.41.132 443 ESTABLISHED
- WINWORD.EXE 49612 101.99.3.20 80 ESTABLISHED
- regsvr32.exe 49616 66.228.32.31 7080 SYN_SENT
- regsvr32.exe 49617 182.162.143.56 443 ESTABLISHED
- regsvr32.exe 49628 72.15.201.15 8080 ESTABLISHED
- regsvr32.exe 49629 183.111.227.137 8080 ESTABLISHED
- regsvr32.exe 49634 172.105.226.75 8080 ESTABLISHED
- regsvr32.exe 49650 153.92.5.27 8080 ESTABLISHED
- regsvr32.exe 49651 160.16.142.56 8080 ESTABLISHED
- proc
- --------------
- "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
- "C:\Windows\System32\regsvr32.exe" /s "C:\Users\operator\Desktop\090339.tmp"
- C:\Windows\system32\regsvr32.exe /s "C:\Users\operator\Desktop\090339.tmp"
- C:\Windows\system32\regsvr32.exe "C:\Users\operator\AppData\Local\IrkHyrW\WChlUgpsVsdte.dll"
- persist
- --------------
- n/a
- drop
- --------------
- %userprofile%\Desktop\*.tmp
- %userprofile%\AppData\Local\*\*.dll
- # # # # # # # #
- additional info
- # # # # # # # #
- doc metadata
- --------------
- File Name : form.doc
- Directory : .
- File Size : 543 MiB
- File Modification Date/Time : 2023:03:07 18:32:50+02:00
- File Access Date/Time : 2023:03:07 20:31:23+02:00
- File Inode Change Date/Time : 2023:03:07 20:30:55+02:00
- File Permissions : -rw-------
- File Type : DOC
- File Type Extension : doc
- MIME Type : application/msword
- Identification : Word 8.0
- Language Code : English (US)
- Doc Flags : Has picture, 1Table, ExtChar
- System : Windows
- Word 97 : No
- Title :
- Subject :
- Author : Moulaye Sellens
- Keywords :
- Comments :
- Template : Normal
- Last Modified By : Microsoft account
- Software : Microsoft Office Word
- Create Date : 2023:03:01 17:01:00
- Modify Date : 2023:03:01 17:01:00
- Security : None
- Code Page : Windows Latin 1 (Western European)
- Manager : Joetta Niegbur
- Company :
- Bytes : 11000
- Char Count With Spaces : 44940
- App Version : 15.0000
- Scale Crop : No
- Links Up To Date : No
- Shared Doc : No
- Hyperlinks Changed : No
- Title Of Parts :
- Heading Pairs : Title, 1
- Comp Obj User Type Len : 32
- Comp Obj User Type : Microsoft Word 97-2003 Document
- Last Printed : 0000:00:00 00:00:00
- Revision Number : 1
- Total Edit Time : 0
- Words : 6720
- Characters : 38309
- Pages : 1
- Paragraphs : 89
- Lines : 319
- # # # # # # # #
- VT & Intezer
- # # # # # # # #
- https://www.virustotal.com/gui/file/3cba539b2f619051b1a5a884a359d2cf73dd3f1d001576a9f24d92ff56749ffc/details
- https://www.virustotal.com/gui/file/28d5d3f037898f43263f487ba43b1c80eab715749a743bd4ef280682a98ff74e/details
- Dropped files
- **************
- https://www.virustotal.com/gui/file/c59f87a625325515f37ed7d2381b4fcc33233d50eb19992b203c4b205869434c/details
- https://www.virustotal.com/gui/file/534a5e2bdfdba8041ca3f218b35d35c6f70fef6db7e1b97e9f598a44706f2960/details
- VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement