malware_traffic

2020-02-03 - malspam with attachment for Emotet epoch 2

Feb 3rd, 2020
3,161
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-02-03 - MALSPAM WITH ATTACHMENT (WORD DOC) FOR EMOTET EPOCH 2
  2.  
  3. NOTES:
  4.  
  5. - This email spoofed a gmail sending address I had in a mailbox on a lab host I infected sometime last year.
  6. - The attached Word document generated URLs associated with the Emotet epoch 2 botnet, according to information submitted to URLhaus by @Cryptolaemus1
  7. - Attachment has been stripped from this Paste, but the SHA256 hash and link to the Any.Run sandbox analysis is available below.
  8.  
  9. -----
  10.  
  11. Return-Path: <legal_clerk@harikar.org>
  12. X-Originating-Ip: [192.185.46.187]
  13. Authentication-Results: [removed]; iprev=pass policy.iprev="192.185.46.187"; spf=pass smtp.mailfrom="legal_clerk@harikar.org" smtp.helo="gateway22.websitewelcome.com"; dkim=fail (signature verification failed) header.d=harikar.org; dmarc=none (p=nil; dis=none) header.from=harikar.org
  14. Received: from [192.185.46.187] ([192.185.46.187:30066] helo=gateway22.websitewelcome.com)
  15. by [removed] (envelope-from <legal_clerk@harikar.org>) [removed];
  16. Mon, 03 Feb 2020 19:47:37 -0500
  17. Received: from cm12.websitewelcome.com (cm12.websitewelcome.com [100.42.49.8])
  18. by gateway22.websitewelcome.com (Postfix) with ESMTP id 11F137659
  19. for [removed]; Mon, 3 Feb 2020 18:47:37 -0600 (CST)
  20. Message-ID: <5B.FA.26438.92FB83E5@[removed]>
  21. Received: from box5766.bluehost.com ([162.241.253.48])
  22. by cmsmtp with SMTP
  23. id ymNNiVeDsJqaQymNNiCCCS; Mon, 03 Feb 2020 18:47:37 -0600
  24. X-Authority-Reason: nr=8
  25. DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=harikar.org
  26. ; s=default; h=Content-Type:MIME-Version:Subject:To:From:Date:Sender:Reply-To
  27. :Message-ID:Cc:Content-Transfer-Encoding:Content-ID:Content-Description:
  28. Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
  29. In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
  30. List-Post:List-Owner:List-Archive;
  31. bh=ukRvDGsiKZSTWtSbNb5SrfiAQqXgqsR02cYFJz+vMLU=; b=e/KA7zzINSoNPI1J55sUJhjmmB
  32. Zf0vjjgHBqr9GV6e+pgmNGSBJoe15GANrWGrXRpdnv1WbUzUGMc3+URVfgJD1nyZHbzL2GLbrKOcZ
  33. vNZcmD14cL2p/J0OW3bBq+dgMJJwesRUE+IPYHFvP6kCvu0cYoRKH1uevvpyhJIfrWEzyfLhySnlN
  34. bLTBmqoGUFBtGwYmCpUav9uJi0MKqB4IQNUwrArnG52GBzeO2Jh+NlZXzyesufDD/3VnFq5FooZcA
  35. ZxEaCM3Ww1KOhIWDfSZtnAxUBVAGI2Joy4w20kQWCNQxL8YKoOHVle69y6RKmuiqA0FdvxGNjsUmJ
  36. 967sLWDw==;
  37. Received: from [218.111.17.88] (port=49617)
  38. by box5766.bluehost.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
  39. (Exim 4.92)
  40. (envelope-from <legal_clerk@harikar.org>)
  41. id 1iymNK-002TH5-WE
  42. for [removed]; Mon, 03 Feb 2020 17:47:36 -0700
  43. Date: Tue, 04 Feb 2020 08:46:18 +0800
  44. From: "[removed]@gmail.com" <legal_clerk@harikar.org>
  45. To: [removed]
  46. Subject:
  47. MIME-Version: 1.0
  48. Content-Type: multipart/mixed; boundary="--9855227372053987511427231688939"
  49.  
  50. ----9855227372053987511427231688939
  51. Content-Type: text/plain; charset=UTF-8
  52. Content-Transfer-Encoding: quoted-printable
  53.  
  54. =0DThank you for your help. Please see the attached.=0D
  55.  
  56.  
  57. -
  58. [removed]=0D[removed]@gmail.com
  59. ----9855227372053987511427231688939
  60. Content-Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document; name="RFG-020120 LLI-020420.doc"
  61. Content-Transfer-Encoding: base64
  62. Content-Disposition: attachment; filename="RFG-020120 LLI-020420.doc"
  63.  
  64. [attachment data removed]
  65. SHA256 hash: c96accdf5da8d74d216c6ba012418587ab84153ca3022a01931676d6616dc212
  66. sample available at: https://app.any.run/tasks/13a73aba-e252-4c6b-bd08-9a0873efb55d
  67.  
  68. ----9855227372053987511427231688939--
RAW Paste Data