API tools faq
paste
VRad

#emotet_220622

VRad
Jun 22nd, 2022 (edited)
192
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.69 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #Emotet #Epoch4 #Macro #regsvr32 #DLL
  2.  
  3. https://pastebin.com/c5yna1SU
  4.  
  5. previous_contact:
  6. 20/01/21 https://pastebin.com/NFRmXi7k
  7.  
  8. FAQ:
  9.  
  10.  
  11. attack_vector
  12. --------------
  13. email attach .zip (passwd) > XLS > XLM Macro > GET DLL (4 URL) > regsvr32.exe > exfil to C2
  14.  
  15.  
  16. # # # # # # # #
  17. email_headers
  18. # # # # # # # #
  19.  
  20. Subject: Пробив конкурента
  21. Received: from dns.schilling.cl (HELO schilling.cl) ([200.75.9.84])
  22. Received: from [205.253.120.146] (helo=[127.0.0.1])
  23. by dns.opticenter.cl with esmtpsa (Exim 4.84_2) id 1o3vVX-000CYK-Rd
  24. Date: Wed, 22 Jun 2022 13:48:06 +0530
  25. Message-ID: <a82fc8fe-684c-4e96-048d-7e123298af1d@schilling.cl>
  26. From: "Базы Предприятий" <pespinosa@schilling.cl>
  27.  
  28.  
  29. # # # # # # # #
  30. files
  31. # # # # # # # #
  32.  
  33. SHA-256 1536de274f89689b781b8292b2a94f463ff7c9fab3cdf6dac1b2b6cdfd86d84a
  34. File name OZ4479586796UBP.zip [ Zip archive data, at least v2.0 to extract ]
  35. File size 18.30 KB (18742 bytes)
  36.  
  37. SHA-256 a0de1f3af78bef68ddfcabf4b7cedfa0e466ac65648a5e81e591702b463c96b1
  38. File name OZ4479586796UBP.xls [ Microsoft Excel , Generic OLE2]
  39. File size 55.50 KB (56832 bytes)
  40.  
  41. SHA-256 0094525cc3ea07c27729b5fa54029703bfffcb0dbd8ee62925c60fb28485a277
  42. File name vopdSxqNOCQGlOPqjQVsZ3wh5ArvZGBkxXg.dll [ PE32+ executable for MS Windows (DLL) (GUI) Mono/.Net assembly ]
  43. File size 294.00 KB (301056 bytes)
  44.  
  45.  
  46. # # # # # # # #
  47. activity
  48. # # # # # # # #
  49.  
  50. PL_SCR http://subbalakshmi.com/data_winning/kYv6xb/
  51. https://webhoanggia.com/wp-admin/r6f3vv8ukiZjeW/
  52. http://www.dh.net.br/catalogo1/0cJpUJXBhuBaMdVWQf/
  53. https://www.controlnetworks.com.au/wp-content/Pgb43ikTIobH/
  54.  
  55.  
  56. C2 139.162.113.169
  57. 45.76.181.158:443
  58. 135.148.6.80:443
  59.  
  60. other possible (from config)
  61. --------------
  62. 82.165.152.127:8080
  63. 51.161.73.194:443
  64. 103.75.201.2:443
  65. 5.9.116.246:8080
  66. 213.241.20.155:443
  67. 79.137.35.198:8080
  68. 119.193.124.41:7080
  69. 186.194.240.217:443
  70. 172.105.226.75:8080
  71. 150.95.66.124:8080
  72. 131.100.24.231:80
  73. 94.23.45.86:4143
  74. 209.97.163.214:443
  75. 206.189.28.199:8080
  76. 173.212.193.249:8080
  77. 153.126.146.25:7080
  78. 51.91.76.89:8080
  79. 1.234.2.232:8080
  80. 163.44.196.120:8080
  81. 149.56.131.28:8080
  82. 146.59.226.45:443
  83. 45.118.115.99:8080
  84. 139.162.113.169:8080
  85. 196.218.30.83:443
  86. 212.24.98.99:8080
  87. 115.68.227.76:8080
  88. 64.227.100.222:8080
  89. 207.148.79.14:8080
  90. 209.126.98.206:8080
  91. 151.106.112.196:8080
  92. 45.186.16.18:443
  93. 167.172.253.162:8080
  94. 160.16.142.56:8080
  95. 72.15.201.15:8080
  96. 158.69.222.101:443
  97. 91.207.28.33:8080
  98. 103.70.28.102:8080
  99. 185.4.135.165:8080
  100. 144.91.78.55:443
  101. 82.223.21.224:8080
  102. 45.235.8.30:8080
  103. 135.148.6.80:443
  104. 188.44.20.25:443
  105. 101.50.0.91:8080
  106. 46.55.222.11:443
  107. 159.89.202.34:443
  108. 134.122.66.193:8080
  109. 45.176.232.124:443
  110. 164.68.99.3:8080
  111. 103.43.75.120:443
  112. 183.111.227.137:8080
  113. 45.76.181.158:443
  114. 107.170.39.149:8080
  115. 110.232.117.186:8080
  116. 159.65.140.115:443
  117. 51.254.140.238:7080
  118. 159.65.88.10:8080
  119. 103.132.242.26:8080
  120. 172.104.251.154:8080
  121. 37.187.115.122:8080
  122. 197.242.150.244:8080
  123. 129.232.188.93:443
  124. 201.94.166.162:443
  125.  
  126.  
  127. netwrk
  128. --------------
  129. 166.62.28.144 subbalakshmi.com 80 HTTP GET /data_winning/kYv6xb/ HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0; )
  130. 103.45.230.202 webhoanggia.com 443 TLSv1.2 Client Hello
  131. 177.11.48.94 www.dh.net.br 80 HTTP GET /catalogo1/0cJpUJXBhuBaMdVWQf/ HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0)
  132. 175.45.125.128 www.controlnetworks.com.au 443 TLSv1.2 Client Hello
  133.  
  134. comp
  135. --------------
  136. EXCEL.EXE 996 TCP 103.45.230.202 443
  137. EXCEL.EXE 996 TCP 166.62.28.144 80
  138. EXCEL.EXE 996 TCP 175.45.125.128 443
  139. regsvr32.exe 2920 TCP 45.76.181.158 443
  140. regsvr32.exe 2920 TCP 135.148.6.80 443
  141. regsvr32.exe 2920 TCP 139.162.113.169 8080
  142. regsvr32.exe 2920 TCP 103.224.242.13 8080
  143. regsvr32.exe 2920 TCP 203.114.109.124 443
  144.  
  145.  
  146. proc
  147. --------------
  148. C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE
  149. C:\Windows\System32\regsvr32.exe /S ..\peg1.ocx
  150. C:\Windows\system32\regsvr32.exe "C:\Users\operator\AppData\Local\YhrzgUwVUM\Ucedz.dll"
  151. C:\Windows\system32\systeminfo.exe
  152. C:\Windows\system32\ipconfig.exe /all
  153. C:\Windows\system32\nltest.exe /dclist:
  154. "C:\tmp\\kdkeax.exe" /scomma "C:\tmp\121C.tmp"
  155. "C:\tmp\\ppepigjryij.exe" /scomma "C:\tmp\9094.tmp"
  156. C:\Windows\System32\regsvr32.exe /S ..\peg2.ocx
  157. C:\Windows\System32\regsvr32.exe /S ..\peg3.ocx
  158. C:\Windows\System32\regsvr32.exe /S ..\peg4.ocx
  159.  
  160.  
  161. persist
  162. --------------
  163. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 22.06.2022 14:31
  164. Ucedz.dll c:\users\operator\appdata\local\yhrzguwvum\ucedz.dll 21.06.2022 22:10
  165.  
  166. drop
  167. --------------
  168. %temp%\6204687.od
  169. %temp%\FC4F.tmp
  170. C:\Users\operator\peg1.ocx
  171. %temp%\Temporary Internet Files\Content.IE5\5LCDGT3D\HO9fjQsQtssjDMaqdHVFHbmjYExj2qdSW1w[1].dll
  172. %temp%\ppepigjryij.exe
  173. %temp%\kdkeax.exe
  174. %temp%\shsnkzioldxlkz.exe
  175.  
  176.  
  177. # # # # # # # #
  178. additional info
  179. # # # # # # # #
  180.  
  181. xls metadata
  182. --------------
  183. File Name : OZ4479586796UBP.xls
  184. Directory : .
  185. File Size : 56 KiB
  186. File Modification Date/Time : 2022:06:22 11:17:02+03:00
  187. File Access Date/Time : 2022:06:22 15:10:59+03:00
  188. File Inode Change Date/Time : 2022:06:22 15:10:59+03:00
  189. File Permissions : -rw-r--r--
  190. File Type : XLS
  191. File Type Extension : xls
  192. MIME Type : application/vnd.ms-excel
  193. Author : SRGHRSHSH
  194. Last Modified By : RGSGK
  195. Software : Microsoft Excel
  196. Create Date : 2015:06:05 18:19:34
  197. Modify Date : 2022:06:21 18:35:33
  198. Security : None
  199. Code Page : Windows Cyrillic
  200. Company :
  201. App Version : 16.0000
  202. Scale Crop : No
  203. Links Up To Date : No
  204. Shared Doc : No
  205. Hyperlinks Changed : No
  206. Title Of Parts : Sheet, KBSNTND, Vv, ORHINSNR, THJD, SGGSBe, KBRSBTL
  207. Heading Pairs : Листы, 6, Макросы Excel 4.0, 1
  208.  
  209.  
  210. # # # # # # # #
  211. VT & Intezer
  212. # # # # # # # #
  213.  
  214. Dropped files
  215. **************
  216. https://www.virustotal.com/gui/file/1536de274f89689b781b8292b2a94f463ff7c9fab3cdf6dac1b2b6cdfd86d84a/details
  217. https://www.virustotal.com/gui/file/a0de1f3af78bef68ddfcabf4b7cedfa0e466ac65648a5e81e591702b463c96b1/details
  218. https://www.virustotal.com/gui/file/0094525cc3ea07c27729b5fa54029703bfffcb0dbd8ee62925c60fb28485a277/details
  219. https://analyze.intezer.com/analyses/326ef74f-1d57-4e4c-b50e-b6e0e0fcbcfb
  220.  
  221.  
  222. VR
  223.  
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!