Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #Emotet Malware document links/ IOCs 03/01/18 18:15 EST
- General notes: There has been a change in the behavior of Emotet as reported earlier by the community(@dvk01uk, @pollo290987, etc). Emotet is now attaching a PDF document to each malspam message that is basically a plain text copy of the email itself. This is odd and I am not sure the point of it honestly. Other than this, it is the same old Emotet as far as I can tell. There are some slight changes in the body of the email posted below in examples.
- Downloader links New for 03/01/18: (Integrated community links)
- from sandbox = found via SHA match or common payload
- http://ailith-display.com/New-order/
- http://www.akzonobelspinaker.pl/Open-invoices/
- http://apteka.putemed.ru/ACH-form/
- http://bearit.ca/Paid-Invoices/
- http://begardi.com/Past-Due-Invoice/
- http://blog.followminehosting.com/Invoice-receipt/
- http://brightcore.biz/Scan/
- http://calhellas.net/ACH/GMO596200RQP/Mar-01-2018-3837560/IBT-YVBG-Mar-01-2018/ - from @Mesiagh
- http://cent-rdc.com/LLC/WAG9881560YFVWDR/Mar-01-2018-50051320/TTK-JLJ-Mar-01-2018/ - from @pollo290987 and @Mesiagh
- http://condosiesta.com/New-order/
- http://dhammaransi.com/ACH/XL7210504737YGJOS/Mar-01-2018-7121979345/XVYZ-PNL/
- http://fashion-tver.ru/Paid-Invoices/ - From @Mesiagh
- http://floristgo.ru/PAYMENT/ANW805869622SXBXGK/95586182/WOZL-HGUR/ - From @Mesiagh
- http://igold.capital/Inv-823132-PO-9W331881/ - From @Mesiagh
- http://www.lcjp.org/Service-Report-4137/
- http://loxtonfamily.info/Past-Due-Invoices/
- http://mastercoffeee.ru/Invoice-7545322-March/ - From @Mesiagh
- http://meridian-web.ru/Invoice-receipt/ - From @Mesiagh
- http://metaico.net/Important-Please-Read/ - From @Mesiagh
- http://mixincorps.com/Summit-Companies-Invoice-4307815/
- http://pruebas.rentserviceinformatica.com/New-order/ - from @dvk01uk
- http://rf-electric.com/Sales-Invoice/
- http://teamsites.ru/Service-Report-1722/ - From @Mesiagh
- http://top-prodazha.ru/INFO/FR073308721ZK/954074/TX-OQYSV/ - From @Mesiagh
- https://udare-shop.com/Past-Due-Invoices/
- http://xn----7sbbha3arb1f6dp.xn--p1ai/Invoice-2911560/
- New Payloads seen today 03/01/18: (also seen by @HAMESWT_MHT, @pollo290987, @NelsonSecurity
- http://www.abexport.com/1ZQqbk/ - 62.149.140.190
- http://try-o.ru/dDC9Eo/dDC9Eo/ - 31.184.194.115
- http://nbzip.ru/CDvxeez/ - 88.212.247.52 (seen before with downloader)
- http://www.irasetaranto.it/tymS4SC/ - 89.46.106.56
- http://test.itsdco.com/gPzhcDB/ - 46.34.160.34
- New Payloads from Community:
- https://pastebin.com/X0nJttmK - from @NelsonSecurity
- kelvinboerkamp.nl/SuE3cCp/ - 141.138.169.218 - from @JAMESWT_MHT, @NelsonSecurity, @Fumik0_
- stagingnadra.online/gpr6rbq - 209.182.196.25 - from @JAMESWT_MHT, @NelsonSecurity, @Fumik0_
- reinider.ru/OtLkRU/ - 194.67.196.104 - from @JAMESWT_MHT, @NelsonSecurity, @Fumik0_
- arkonziv.com/Site7_Pixelhobbies/iV1PKqL/ - 182.50.135.128 - from @JAMESWT_MHT, @NelsonSecurity, @Fumik0_
- jlatreasures.com/DETbz/ - 184.106.55.108 - from @JAMESWT_MHT, @NelsonSecurity, @Fumik0_
- C2:
- 106.187.91.235
- 45.56.65.180
- 91.217.66.130
- 119.59.124.163 - From @Mesiagh
- Sandbox:
- https://app.any.run/tasks/8c57345a-6901-46fb-9162-6555dac15047 - with fakenet
- https://www.hybrid-analysis.com/sample/f295640889927e8709a3a2b8ee9df4442197eda568c7270a66607e4583c6d4ee?environmentId=100
- https://app.any.run/tasks/f2700ccc-7b6c-4915-af24-7ab6e9b61a12 - with fakenet - from @JAMESWT_MHT
- Additional Info from Community:
- https://pastebin.com/h0tdAxNV - Hash and network from @Artillerie
- https://pastebin.com/UU9L2w78 - more downloader urls and payloads From @Mesiagh
- https://twitter.com/CapeSandbox/status/969268365318610944
- https://twitter.com/malware_traffic/status/969275762653192193
- https://twitter.com/fumik0_/status/969298743496445952
- https://pastebin.com/VrtFAGjP - from @_ddoxer
- Samples of PDF body:
- Morning {RCPT.NAME}
- Thanks Your invoice is attached. Please remit payment at your earliest
- convenience. Thank you for your business - we appreciate it very much.
- > http://www.akzonobelspinaker.pl/Open-invoices/
- {FRIEND.EMAIL}
- {FRIEND.NAME}
- was attached in email with body:
- Morning (Victim)
- Thanks
- Your invoice is attached. Please remit payment at your earliest convenience.
- Thank you for your business - we appreciate it very much.
- > http://www.akzonobelspinaker.pl/Open-invoices/
- (Spoofed)
- Scan of above PDF:
- https://www.virustotal.com/#/file/9616629c1109beabb4491a525e7f1ea4441bbbea7867eb8f941073a6012402de/detection
- Another copy of a sample PDF from @DynamicAnalysis:
- https://twitter.com/DynamicAnalysis/status/969351220841402368
- Examples of body changes:
- note: seeing more HTML ones now.
- Example #1
- Hi (Victim),
- Inserted are the three invoices that need to be corrected. The correct rates are as follows:
- Regular Pay Rate: $25.21
- Regular Bill Rate: $67.53
- OT Pay Rate: $23.18
- OT Bill Rate: $36.61
- Please do not hesitate to contact me if you have any questions. Thanks!
- >>> http://www.akzonobelspinaker.pl/Open-invoices/
- (Spoofed)
- Información Confidencial: La información contenida en este correo electrónico y cualquier anexo del mismo puede contener información Confidencial para uso exclusivo de su destinatario. Si usted no es el destinatario de este correo electrónico favor de notificar al remitente respondiendo al presente correo y proceder a su destrucción inmediata, incluyendo los anexos y cualquier copia del mismo. El presente correo electrónico no constituye una oferta vinculante para la empresa, aun si el precio(s), cantidad(es) u otros conceptos similares son incluidos en el mensaje electrónico o en sus archivos adjuntos. Aviso de Privacidad: Sus datos personales pueden ser tratados para diferentes finalidades con motivo de la relación que mantengamos con Usted. Si requiere mayor información puede acceder al Aviso de Privacidad a través de la página de internet www.grupoabx.com.mx
- Example #2
- <html>
- <body>
- (Victim)
- <br>
- <br>
- I sent an email on 03/01/2018 and never got a response. We are now showing six past due invoices. Inserted is a current aging.
- I would appreciate it if you could check on it and let me know when we can expect payment. Thanks!
- <br>
- <br>
- >> <a href="http://mastercoffeee.ru/Invoice-7545322-March/">Open Past Due Orders.doc</a> (Attachment File Type: DOC)
- <br>
- <br>
- <br>
- <br>
- Many Thanks<br>
- <br>
- (Spoofed)
- </body>
- </html>
- Bonus Content Additional URL Patterns: *WIP*
- (these may or may not work for you, use at your own risk. In my system(Vircom-Modusgate) they just put things into a quarantine and do not lose mail based on these filters.)
- ? = one character or space
- *=many characters or spaces
- Merged old and new list together. Minor tweaks in lists:
- Contains exact string type (In sieve script this is done via "if body:text:contains"):
- ".com/UPS.com/",
- "/ACH-form/",
- "/Christmas-card/",
- "/Christmas-eCard/",
- "/Christmas-Gift-Card/",
- "/Corporation/New-invoice-",
- "/DOC/Invoice/",
- "/DOC/New-invoice-",
- "/document.jar",
- "/Document-needed/",
- "/Dokumente/",
- "/Dokumente-vom-Notar/",
- "/Download/Invoice-number-",
- "/eCard/",
- "/eGift-Card/",
- "/Final-Account/",
- "/Gift-Card-for-you",
- "/Happy-Holidays-Card/",
- "/Holidays-Card/",
- "/Holidays-eCard/",
- "/Holidays-gift-card/",
- "/Important-Please-Read/",
- "/INCORRECT-INVOICE/",
- "/INFO/Invoice-number-",
- "/Informationen/",
- "/Invoice-",
- "/Invoice-Corrections-for-",
- "/Invoice-for-t/",
- "/Invoice-for-you/",
- "/Invoice-Number-",
- "/Invoice-receipt/",
- "/Invoices-attached/",
- "/Invoices-Overdue/",
- "/Invoice-t/h-February/",
- "/LLC/New-invoice-/",
- "/Open-invoices/",
- "/Need-to-send-the-attachment/",
- "/New-order/",
- "/Open-Past-Due-Orders/",
- "/Order-Confirmation/",
- "/outstanding-invoice-",
- "/Outstanding-Invoices/",
- "/Overdue-payment/",
- "/Paid-Invoice/",
- "/Paid-Invoices/",
- "/Paid-Invoice-Credit-Card-Receipt/",
- "/Past-Due-Invoice",
- "-Past-Due-Invoices/",
- "/PayPal.com/LLC/",
- "/PAYPAL/DOC/",
- "/PAYPAL/INFO/",
- "/PayPal/LLC/",
- "/PayPal-US/DOC/",
- "/Purchases-2017/",
- "/Purchases-2018/",
- "/Question/",
- "/Rechnung/",
- "/Rechnung-Nr-",
- "/Rechnungs-Details/",
- "/scan/Invoice/",
- "/Sales-Invoice/",
- "/Service-Invoice/",
- "/Service-Report-",
- "/Summit-Companies-Invoice-",
- "/Tracking-Number-",
- "/UPS/Feb-",
- "/UPS-Express-Domestic/",
- "/UPS-Quantum-View/",
- "/UPS-Ship-Notification/",
- "/UPS-View/",
- "/wp-content/Invoice-Number-",
- "/Your-Card/",
- "/Your-Christmas-Card/",
- "/Your-Christmas-Gift-Card/",
- "/Your-eCard/",
- "/Your-Gift-Card/",
- "/Your-Holidays-Card/",
- "/Your-Holidays-eCard/",
- "/Your-holidays-Gift-Card/"
- Pattern match(done via if body:text:matches in Sieve script)
- "*http:/*.ru/ACH/*"
- "*http:/*/ACH/*-???-??-2018/ *"
- "*http:/*/ACH/*/???-??-2018-*"
- "*http:/*.info/CARD/*"
- "*http:/*/CARD/*-???-??-2018/ *"
- "*http:/*/CARD/*/???-??-2018-*"
- "*http:/*/Corporation/*-???-??-2018/ *"
- "*http:/*/Corporation/*/???-??-2018-*"
- "*http:/*.au/DOC/*"
- "*http:/*/DOC/*-???-??-2018/ *"
- "*http:/*/DOC/*/???-??-2018-*"
- "*http:/*/Download/*-???-??-2018/ *"
- "*http:/*/Download/*/???-??-2018-*"
- "*http:/*.sg/FILE/*"
- "*http:/*/FILE/*-???-??-2018/ *"
- "*http:/*/FILE/*/???-??-2018-*"
- "*http:/*.com/INFO/*"
- "*http:/*/INFO/*-???-??-2018/ *"
- "*http:/*/INFO/*/???-??-2018-*"
- "*http:/*.ru/LLC/*"
- "*http:/*/LLC/*-???-??-2018/ *"
- "*http:/*/LLC/*/???-??-2018-*"
- "*http:/*/PAY/*-???-??-2018/ *"
- "*http:/*/PAY/*/???-??-2018-*"
- "*http:/*/PAYMENT/*-???-??-2018/ *"
- "*http:/*/PAYMENT/*/???-??-2018-*"
- "*http:/*/Scan/ *"
- "*http:/*.com/Invoice/ *"
- "*http:/*.org/Invoice/ *"
- "*http:/*.pl/Invoice/ *"
- "*http:/*.ru/Invoice/ *"
- "*http:/*.su/Invoice/ *"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement