API tools faq
paste
Advertisement
VRad

#emotet_070323

VRad
Mar 8th, 2023 (edited)
301
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.38 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #Emotet #Epoch4 #Macro #regsvr32 #DLL
  2.  
  3. https://pastebin.com/1JJn2r3A
  4.  
  5. previous_contact:
  6. 22/06/22 https://pastebin.com/c5yna1SU
  7. 20/01/21 https://pastebin.com/NFRmXi7k
  8.  
  9. FAQ:
  10. https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet
  11.  
  12. attack_vector
  13. --------------
  14. email attach .zip > .doc > VBA macro > GET .zip (DLL) > regsvr32.exe %userprofile%\AppData\Local\*\*.dll
  15.  
  16.  
  17. # # # # # # # #
  18. email_headers
  19. # # # # # # # #
  20. Return-Path: <ejaya@saptabuanalogistic.com>
  21. Received: from srv32.niagahoster.com ([153.92.8.151])
  22. Received: from mailnull by srv32.niagahoster.com with spam-scanner (Exim 4.95)
  23. Received: from [92.55.176.61] (port=21191 helo=[127.0.0.1])
  24. Date: Tue, 07 Mar 2023 21:33:52 +0600
  25. Message-ID: <ecf1ea3e-5935-44ad-63b4-1c68364829c6@saptabuanalogistic.com>
  26. From: Мазур Наталя <ejaya@saptabuanalogistic.com>
  27. Subject: Re:
  28.  
  29.  
  30. # # # # # # # #
  31. files
  32. # # # # # # # #
  33.  
  34. SHA-256 3cba539b2f619051b1a5a884a359d2cf73dd3f1d001576a9f24d92ff56749ffc
  35. File name 1009826244896753565.zip [Zip archive data, at least v?[0x314] to extract]
  36. File size 664 Kb
  37.  
  38. SHA-256 28d5d3f037898f43263f487ba43b1c80eab715749a743bd4ef280682a98ff74e
  39. File name form.doc [Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252]
  40. File size 544 Mb (!)
  41.  
  42. SHA-256 c59f87a625325515f37ed7d2381b4fcc33233d50eb19992b203c4b205869434c
  43. File name ?090341 [Zip archive data, at least v2.0 to extract]
  44. File size 868 Kb
  45.  
  46. SHA-256 534a5e2bdfdba8041ca3f218b35d35c6f70fef6db7e1b97e9f598a44706f2960
  47. File name HiJwdAwnc6WqcdSUTrTBj.dll [PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows]
  48. File size 519 Mb (!)
  49.  
  50. # # # # # # # #
  51. activity
  52. # # # # # # # #
  53.  
  54. PL_SCR mtp.evotek.vn/wp-content/L/?090341
  55.  
  56.  
  57. C2 104.168.155.143:8080
  58. 91.207.28.33:8080
  59. 72.15.201.15:8080
  60. 183.111.227.137:8080
  61.  
  62.  
  63. other possible (from config)
  64. --------------
  65. 129.232.188.93:443
  66. 164.90.222.65:443
  67. 159.65.88.10:8080
  68. 172.105.226.75:8080
  69. 115.68.227.76:8080
  70. 187.63.160.88:80
  71. 169.57.156.166:8080
  72. 185.4.135.165:8080
  73. 153.126.146.25:7080
  74. 197.242.150.244:8080
  75. 139.59.126.41:443
  76. 186.194.240.217:443
  77. 103.132.242.26:8080
  78. 206.189.28.199:8080
  79. 163.44.196.120:8080
  80. 95.217.221.146:8080
  81. 159.89.202.34:443
  82. 119.59.103.152:8080
  83. 183.111.227.137:8080
  84. 201.94.166.162:443
  85. 103.75.201.2:443
  86. 149.56.131.28:8080
  87. 79.137.35.198:8080
  88. 5.135.159.50:443
  89. 66.228.32.31:7080
  90. 91.121.146.47:8080
  91. 153.92.5.27:8080
  92. 45.235.8.30:8080
  93. 72.15.201.15:8080
  94. 107.170.39.149:8080
  95. 45.176.232.124:443
  96. 82.223.21.224:8080
  97. 167.172.199.165:8080
  98. 213.239.212.5:443
  99. 202.129.205.3:8080
  100. 94.23.45.86:4143
  101. 147.139.166.154:8080
  102. 167.172.253.162:8080
  103. 91.207.28.33:8080
  104. 188.44.20.25:443
  105. 104.168.155.143:8080
  106. 110.232.117.186:8080
  107. 164.68.99.3:8080
  108. 1.234.2.232:8080
  109. 173.212.193.249:8080
  110. 182.162.143.56:443
  111. 160.16.142.56:8080
  112. 101.50.0.91:8080
  113. 103.43.75.120:443
  114.  
  115.  
  116.  
  117. netwrk
  118. --------------
  119. 203.26.41.132 443 TCP 49610 → 443 [SYN]
  120. 101.99.3.20 mtp.evotek.vn 80 HTTP GET /wp-content/L/?090341 HTTP/1.1 Mozilla/4.0
  121. 91.121.146.47 8080 TCP 49613 → 8080 [SYN]
  122. 66.228.32.31 7080 TCP 49615 → 7080 [SYN]
  123. 182.162.143.56 443 TCP 49617 → 443 [SYN]
  124. 167.172.199.165 8080 TCP 49621 → 8080 [SYN]
  125. 164.90.222.65 443 TLSv1 Client Hello
  126. 104.168.155.143 8080 TCP 49625 → 8080 [SYN]
  127. 91.207.28.33 8080 TCP 49627 → 8080 [SYN]
  128. 72.15.201.15 8080 TCP 49628 → 8080 [SYN]
  129. 183.111.227.137 8080 TCP 49629 → 8080 [SYN]
  130. . . .
  131.  
  132.  
  133. comp
  134. --------------
  135. WINWORD.EXE 49610 203.26.41.132 443 ESTABLISHED
  136. WINWORD.EXE 49612 101.99.3.20 80 ESTABLISHED
  137. regsvr32.exe 49616 66.228.32.31 7080 SYN_SENT
  138. regsvr32.exe 49617 182.162.143.56 443 ESTABLISHED
  139. regsvr32.exe 49628 72.15.201.15 8080 ESTABLISHED
  140. regsvr32.exe 49629 183.111.227.137 8080 ESTABLISHED
  141. regsvr32.exe 49634 172.105.226.75 8080 ESTABLISHED
  142. regsvr32.exe 49650 153.92.5.27 8080 ESTABLISHED
  143. regsvr32.exe 49651 160.16.142.56 8080 ESTABLISHED
  144.  
  145.  
  146. proc
  147. --------------
  148. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
  149. "C:\Windows\System32\regsvr32.exe" /s "C:\Users\operator\Desktop\090339.tmp"
  150. C:\Windows\system32\regsvr32.exe /s "C:\Users\operator\Desktop\090339.tmp"
  151. C:\Windows\system32\regsvr32.exe "C:\Users\operator\AppData\Local\IrkHyrW\WChlUgpsVsdte.dll"
  152.  
  153.  
  154. persist
  155. --------------
  156. n/a
  157.  
  158.  
  159. drop
  160. --------------
  161. %userprofile%\Desktop\*.tmp
  162. %userprofile%\AppData\Local\*\*.dll
  163.  
  164.  
  165. # # # # # # # #
  166. additional info
  167. # # # # # # # #
  168.  
  169. doc metadata
  170. --------------
  171. File Name : form.doc
  172. Directory : .
  173. File Size : 543 MiB
  174. File Modification Date/Time : 2023:03:07 18:32:50+02:00
  175. File Access Date/Time : 2023:03:07 20:31:23+02:00
  176. File Inode Change Date/Time : 2023:03:07 20:30:55+02:00
  177. File Permissions : -rw-------
  178. File Type : DOC
  179. File Type Extension : doc
  180. MIME Type : application/msword
  181. Identification : Word 8.0
  182. Language Code : English (US)
  183. Doc Flags : Has picture, 1Table, ExtChar
  184. System : Windows
  185. Word 97 : No
  186. Title :
  187. Subject :
  188. Author : Moulaye Sellens
  189. Keywords :
  190. Comments :
  191. Template : Normal
  192. Last Modified By : Microsoft account
  193. Software : Microsoft Office Word
  194. Create Date : 2023:03:01 17:01:00
  195. Modify Date : 2023:03:01 17:01:00
  196. Security : None
  197. Code Page : Windows Latin 1 (Western European)
  198. Manager : Joetta Niegbur
  199. Company :
  200. Bytes : 11000
  201. Char Count With Spaces : 44940
  202. App Version : 15.0000
  203. Scale Crop : No
  204. Links Up To Date : No
  205. Shared Doc : No
  206. Hyperlinks Changed : No
  207. Title Of Parts :
  208. Heading Pairs : Title, 1
  209. Comp Obj User Type Len : 32
  210. Comp Obj User Type : Microsoft Word 97-2003 Document
  211. Last Printed : 0000:00:00 00:00:00
  212. Revision Number : 1
  213. Total Edit Time : 0
  214. Words : 6720
  215. Characters : 38309
  216. Pages : 1
  217. Paragraphs : 89
  218. Lines : 319
  219.  
  220.  
  221. # # # # # # # #
  222. VT & Intezer
  223. # # # # # # # #
  224. https://www.virustotal.com/gui/file/3cba539b2f619051b1a5a884a359d2cf73dd3f1d001576a9f24d92ff56749ffc/details
  225. https://www.virustotal.com/gui/file/28d5d3f037898f43263f487ba43b1c80eab715749a743bd4ef280682a98ff74e/details
  226.  
  227. Dropped files
  228. **************
  229. https://www.virustotal.com/gui/file/c59f87a625325515f37ed7d2381b4fcc33233d50eb19992b203c4b205869434c/details
  230. https://www.virustotal.com/gui/file/534a5e2bdfdba8041ca3f218b35d35c6f70fef6db7e1b97e9f598a44706f2960/details
  231.  
  232.  
  233. VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!