API tools faq
paste
Advertisement
DarthInvader

EMOTET November 7, 2017 IOC

DarthInvader
Nov 7th, 2017
783
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.41 KB | None | 0 0
raw download clone embed print report
  1. EMOTET November 7, 2017 IOC (The email arrived November 6, 2:40PM -5UTC)
  2.  
  3. Document name: "New invoice # 295437879655.doc"
  4. SHA256: c394d23bc99d403d2613ddc56280a5b4fd5b67e47ab9496d8a5311f03cd4b5ef
  5. https://www.hybrid-analysis.com/sample/c394d23bc99d403d2613ddc56280a5b4fd5b67e47ab9496d8a5311f03cd4b5ef?environmentId=100
  6. https://www.virustotal.com/en/file/c394d23bc99d403d2613ddc56280a5b4fd5b67e47ab9496d8a5311f03cd4b5ef/analysis/1510068071/
  7.  
  8. Enabling content and editing of the Word Document causes a download of a file called BN.exe
  9. Payload DL site http://sfiafarms.com/FpKNJTj/
  10. SHA256: e6078f0c13b61558f71186b2e6a7c636f8e8f919336e00ac412eb1f5c2536a73
  11. https://www.virustotal.com/en/file/e6078f0c13b61558f71186b2e6a7c636f8e8f919336e00ac412eb1f5c2536a73/analysis/1510070334/
  12. https://www.hybrid-analysis.com/sample/e6078f0c13b61558f71186b2e6a7c636f8e8f919336e00ac412eb1f5c2536a73?environmentId=100
  13.  
  14. Post attempted to
  15. http://77.220.64.43:443/
  16. http://104.227.137.35:443/
  17. http://5.9.150.103:443/
  18. http://148.251.33.195:8080/
  19. http://206.214.220.81:8080/
  20. http://167.114.98.61:8080/
  21. http://217.13.106.16:8080/
  22. http://69.43.168.234:443/
  23. http://204.16.201.116/
  24. http://104.227.137.43:443/
  25. http://69.43.168.234:443/
  26. http://5.230.156.95:443/
  27. http://199.119.78.54:443/
  28. http://194.88.246.242:443/
  29. http://207.58.168.91:8080/
  30. http://217.13.106.249:8080/
  31.  
  32.  
  33. Additional links to pull down the infected Word document that would be in phishing emails
  34. http://apnatvweb.com/Invoice-due-number-8493697/
  35. http://biology.fst.unair.ac.id/New-invoice-038249/
  36. http://gas-global.com/Invoice-1680/
  37. http://ortakgelecekliderleri.com/scan-094607278/
  38. http://pripoi31.ru/Invoice-due-number-2416514/
  39. http://profishtrading.com/Invoice-number-54884-Notification/
  40. http://snma.fst.unair.ac.id/scan-420564119592/
  41. http://tekno.fst.unair.ac.id/New-invoice-3784735/
  42. http://www.ceciestunexercice.fr/Invoice-number-118438/
  43. http://www.enovakbd.com/Invoice-due-number-02117432/
  44. https://dynamick.it/NKJTTft0emNUP/
  45. museeduvieuxlacaune.fr/scan-3620900332/
  46. thecreativefirm.net/07210457/
  47. www.look30again.biz/Invoice-number-5723426/
  48. http://markpolak.com/Payment-with-a-new-address/
  49.  
  50. Email content
  51.  
  52. Hi LastName, FirstName,
  53.  
  54. Couldn’t reach over your phone number for some reason. Need to know the status of this invoice, please reply asap.
  55. http://pripoi31.ru/Invoice-due-number-2416514/
  56.  
  57.  
  58. Respectfully Yours,
  59. LastName, FirstName (someone you likely know)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!