Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #Emotet #Epoch4 #Macro #regsvr32 #DLL
- https://pastebin.com/c5yna1SU
- previous_contact:
- 20/01/21 https://pastebin.com/NFRmXi7k
- FAQ:
- attack_vector
- --------------
- email attach .zip (passwd) > XLS > XLM Macro > GET DLL (4 URL) > regsvr32.exe > exfil to C2
- # # # # # # # #
- email_headers
- # # # # # # # #
- Subject: Пробив конкурента
- Received: from dns.schilling.cl (HELO schilling.cl) ([200.75.9.84])
- Received: from [205.253.120.146] (helo=[127.0.0.1])
- by dns.opticenter.cl with esmtpsa (Exim 4.84_2) id 1o3vVX-000CYK-Rd
- Date: Wed, 22 Jun 2022 13:48:06 +0530
- Message-ID: <a82fc8fe-684c-4e96-048d-7e123298af1d@schilling.cl>
- From: "Базы Предприятий" <pespinosa@schilling.cl>
- # # # # # # # #
- files
- # # # # # # # #
- SHA-256 1536de274f89689b781b8292b2a94f463ff7c9fab3cdf6dac1b2b6cdfd86d84a
- File name OZ4479586796UBP.zip [ Zip archive data, at least v2.0 to extract ]
- File size 18.30 KB (18742 bytes)
- SHA-256 a0de1f3af78bef68ddfcabf4b7cedfa0e466ac65648a5e81e591702b463c96b1
- File name OZ4479586796UBP.xls [ Microsoft Excel , Generic OLE2]
- File size 55.50 KB (56832 bytes)
- SHA-256 0094525cc3ea07c27729b5fa54029703bfffcb0dbd8ee62925c60fb28485a277
- File name vopdSxqNOCQGlOPqjQVsZ3wh5ArvZGBkxXg.dll [ PE32+ executable for MS Windows (DLL) (GUI) Mono/.Net assembly ]
- File size 294.00 KB (301056 bytes)
- # # # # # # # #
- activity
- # # # # # # # #
- PL_SCR http://subbalakshmi.com/data_winning/kYv6xb/
- https://webhoanggia.com/wp-admin/r6f3vv8ukiZjeW/
- http://www.dh.net.br/catalogo1/0cJpUJXBhuBaMdVWQf/
- https://www.controlnetworks.com.au/wp-content/Pgb43ikTIobH/
- C2 139.162.113.169
- 45.76.181.158:443
- 135.148.6.80:443
- other possible (from config)
- --------------
- 82.165.152.127:8080
- 51.161.73.194:443
- 103.75.201.2:443
- 5.9.116.246:8080
- 213.241.20.155:443
- 79.137.35.198:8080
- 119.193.124.41:7080
- 186.194.240.217:443
- 172.105.226.75:8080
- 150.95.66.124:8080
- 131.100.24.231:80
- 94.23.45.86:4143
- 209.97.163.214:443
- 206.189.28.199:8080
- 173.212.193.249:8080
- 153.126.146.25:7080
- 51.91.76.89:8080
- 1.234.2.232:8080
- 163.44.196.120:8080
- 149.56.131.28:8080
- 146.59.226.45:443
- 45.118.115.99:8080
- 139.162.113.169:8080
- 196.218.30.83:443
- 212.24.98.99:8080
- 115.68.227.76:8080
- 64.227.100.222:8080
- 207.148.79.14:8080
- 209.126.98.206:8080
- 151.106.112.196:8080
- 45.186.16.18:443
- 167.172.253.162:8080
- 160.16.142.56:8080
- 72.15.201.15:8080
- 158.69.222.101:443
- 91.207.28.33:8080
- 103.70.28.102:8080
- 185.4.135.165:8080
- 144.91.78.55:443
- 82.223.21.224:8080
- 45.235.8.30:8080
- 135.148.6.80:443
- 188.44.20.25:443
- 101.50.0.91:8080
- 46.55.222.11:443
- 159.89.202.34:443
- 134.122.66.193:8080
- 45.176.232.124:443
- 164.68.99.3:8080
- 103.43.75.120:443
- 183.111.227.137:8080
- 45.76.181.158:443
- 107.170.39.149:8080
- 110.232.117.186:8080
- 159.65.140.115:443
- 51.254.140.238:7080
- 159.65.88.10:8080
- 103.132.242.26:8080
- 172.104.251.154:8080
- 37.187.115.122:8080
- 197.242.150.244:8080
- 129.232.188.93:443
- 201.94.166.162:443
- netwrk
- --------------
- 166.62.28.144 subbalakshmi.com 80 HTTP GET /data_winning/kYv6xb/ HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0; )
- 103.45.230.202 webhoanggia.com 443 TLSv1.2 Client Hello
- 177.11.48.94 www.dh.net.br 80 HTTP GET /catalogo1/0cJpUJXBhuBaMdVWQf/ HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0)
- 175.45.125.128 www.controlnetworks.com.au 443 TLSv1.2 Client Hello
- comp
- --------------
- EXCEL.EXE 996 TCP 103.45.230.202 443
- EXCEL.EXE 996 TCP 166.62.28.144 80
- EXCEL.EXE 996 TCP 175.45.125.128 443
- regsvr32.exe 2920 TCP 45.76.181.158 443
- regsvr32.exe 2920 TCP 135.148.6.80 443
- regsvr32.exe 2920 TCP 139.162.113.169 8080
- regsvr32.exe 2920 TCP 103.224.242.13 8080
- regsvr32.exe 2920 TCP 203.114.109.124 443
- proc
- --------------
- C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE
- C:\Windows\System32\regsvr32.exe /S ..\peg1.ocx
- C:\Windows\system32\regsvr32.exe "C:\Users\operator\AppData\Local\YhrzgUwVUM\Ucedz.dll"
- C:\Windows\system32\systeminfo.exe
- C:\Windows\system32\ipconfig.exe /all
- C:\Windows\system32\nltest.exe /dclist:
- "C:\tmp\\kdkeax.exe" /scomma "C:\tmp\121C.tmp"
- "C:\tmp\\ppepigjryij.exe" /scomma "C:\tmp\9094.tmp"
- C:\Windows\System32\regsvr32.exe /S ..\peg2.ocx
- C:\Windows\System32\regsvr32.exe /S ..\peg3.ocx
- C:\Windows\System32\regsvr32.exe /S ..\peg4.ocx
- persist
- --------------
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 22.06.2022 14:31
- Ucedz.dll c:\users\operator\appdata\local\yhrzguwvum\ucedz.dll 21.06.2022 22:10
- drop
- --------------
- %temp%\6204687.od
- %temp%\FC4F.tmp
- C:\Users\operator\peg1.ocx
- %temp%\Temporary Internet Files\Content.IE5\5LCDGT3D\HO9fjQsQtssjDMaqdHVFHbmjYExj2qdSW1w[1].dll
- %temp%\ppepigjryij.exe
- %temp%\kdkeax.exe
- %temp%\shsnkzioldxlkz.exe
- # # # # # # # #
- additional info
- # # # # # # # #
- xls metadata
- --------------
- File Name : OZ4479586796UBP.xls
- Directory : .
- File Size : 56 KiB
- File Modification Date/Time : 2022:06:22 11:17:02+03:00
- File Access Date/Time : 2022:06:22 15:10:59+03:00
- File Inode Change Date/Time : 2022:06:22 15:10:59+03:00
- File Permissions : -rw-r--r--
- File Type : XLS
- File Type Extension : xls
- MIME Type : application/vnd.ms-excel
- Author : SRGHRSHSH
- Last Modified By : RGSGK
- Software : Microsoft Excel
- Create Date : 2015:06:05 18:19:34
- Modify Date : 2022:06:21 18:35:33
- Security : None
- Code Page : Windows Cyrillic
- Company :
- App Version : 16.0000
- Scale Crop : No
- Links Up To Date : No
- Shared Doc : No
- Hyperlinks Changed : No
- Title Of Parts : Sheet, KBSNTND, Vv, ORHINSNR, THJD, SGGSBe, KBRSBTL
- Heading Pairs : Листы, 6, Макросы Excel 4.0, 1
- # # # # # # # #
- VT & Intezer
- # # # # # # # #
- Dropped files
- **************
- https://www.virustotal.com/gui/file/1536de274f89689b781b8292b2a94f463ff7c9fab3cdf6dac1b2b6cdfd86d84a/details
- https://www.virustotal.com/gui/file/a0de1f3af78bef68ddfcabf4b7cedfa0e466ac65648a5e81e591702b463c96b1/details
- https://www.virustotal.com/gui/file/0094525cc3ea07c27729b5fa54029703bfffcb0dbd8ee62925c60fb28485a277/details
- https://analyze.intezer.com/analyses/326ef74f-1d57-4e4c-b50e-b6e0e0fcbcfb
- VR
Add Comment
Please, Sign In to add comment