2019-02-27 Emotet Notes

1. EMOTET NOTES - 2019-02-27
2. Saw a slow start to the day and then volume jumped at around 2:00 pm.
3. Significant changes to the Emotet macro usage were observed today.
4. Macro code is now spread out over the AutoOpen macro and 3 additional Modules.
5. However, the command code is stored as a text property of a TextBox object on a user form.
6. The only obfuscation being used is replacing "http" in the payload URLs with a nonsense string.
7. All documents are using the blue/grey Word template.
8. The only file attachments that I saw today were .DOC files - no PDFs.
9. All of the Word document files that I saw were actual Word documents - no XML files.
10. All Word document files from this afternoon begin with Acc- or Acc_ (can be all upper or lowercase).
11. Late this afternoon, I downloaded two new Emotet .DOC files and they were zipped (indicating they were likely .DOCX)
12. Many of the document download URLs are in the form "string-string-string.view".
13. There seemed to be very low detection rates of the Word documents by AntiVirus vendors (McAfee, for sure).
14.  
15. Here are the IOCs that I either found or collected:
16. MALDOC DISTRIBUTION URLS
17. http://01asdfceas1234.com/a8iak-jgp3hj-mojzf.view
18. http://104.223.40.40/wp-admin/my0m0-gnthea-trto.view
19. http://109.97.216.141/dyrb-x1hjw-oepj.view
20. http://12pm.strannayaskazka.ru/oow6-bz46h-kane.view
21. http://13.127.212.245/6qjyn-g94xs-zeicf.view
22. http://13.211.153.58/8wsh-smllpg-xnzdx.view
23. http://13.234.1.52/sendincverif/legal/question/En_en/201902
24. http://13.251.226.193/sendincverif/support/question/En_en/02-2019
25. http://159.65.142.218/wp-admin/q5b8-jd6q6-jzfu.view
26. http://178.128.54.239/2wsb-8t237v-vkxq.view
27. http://178.62.63.119/cr6g-34dfz-mpupi.view
28. http://18.223.205.30/0r8o-ns4l5f-qtcg.view
29. http://18.232.11.96/8t71-ui9ht6-uelxv.view
30. http://183.179.198.165/p7fle-3rdesj-bddr.view
31. http://18930.website.snafu.de/qu6d-v4lnw-jufkf.view
32. http://192.241.218.154/2c3a-bpnq07-jjde.view
33. http://206.189.154.46/rixg-sujpf-fegbj.view
34. http://206.189.181.0/y5ci-9nntk-wybaz.view
35. http://3.0.82.215/7j5g-9i3o2-yjhc.view
36. http://3.16.174.177/vf9h-i1ee8-atbe.view
37. http://34.242.190.144/sendincsecure/messages/sec/En/2019-02
38. http://35.231.137.207/r3jy-qcg2n2-udnfp.view
39. http://35.233.127.71/zjed1-iae7t-kdzwv.view
40. http://47.74.7.148/veqv-e945w-jpkh.view
41. http://50.53.45.102/sendincsec/legal/secure/EN_en/022019
42. http://52.32.197.6/nanolumens/resources/8won5-8vavn-bdwko.view
43. http://54.233.125.210/k8y7-r0p2tp-ibbau.view
44. http://80smp4.xyz/De/IPZWFMKCWW6650138
45. http://88.191.45.2/@eaDir/@tmp/79fk3-g90qy-pljw.view
46. http://9casino.net/En/document/Invoice/4310615934247/aDrn-Sj7_TZhEz-WjZ
47. http://ameen-brothers.com/cgi-bin/fqhe-aQ8_xELqzU-k0b
48. http://ammedieval.org/wp-includes/0n8cz-gs36t-xhlf.view
49. http://andrepitre.com/sendincverif/legal/verif/EN/2019-02
50. http://arvd.begrip.sk/20jg-6sc6gb-buzh.view
51. http://avent.xyz/kc48-4x1o8-ybkw.view
52. http://basr.sunrisetheme.com/03dtc-pxqrlw-sjvs.view
53. http://beautyandfashionworld.com/074l-zvq2fa-mtpg.view
54. http://belgrafica.pt/5gg2a-hixf6-rtxq.view
55. http://blog.piotrszarmach.com/urilf-8t6kpt-quzah.view
56. http://blogmiranda.inces.gob.ve/zzsm-qqz8fm-fhtu.view
57. http://bookoftension.com/j4de6-53df2h-exle.view
58. http://broombroom.in/n3et-qje8bt-meoal.view
59. http://bsa.bcs-hosting.net/7qie-aiyqb-zmrxw.view
60. http://cetcf.cn/sendincsec/messages/question/En_en/201902
61. http://citylink.com.pk/h53n9-picx6-rzlyj.view
62. http://cotafric.net/wp-content/uploads/mqex-6ftnhq-wrsir.view
63. http://crab888.com/bxiw-e556c-hkgdg.view
64. http://crmz.su/Telekom/Transaktion/022019
65. http://disperkim.kalselprov.go.id/d2l7h-ncojqd-xlub.view
66. http://dunnascomunica.com/dv9x-33toih-rsoew.view
67. http://eduapps.in/wp-content/uploads/sendincsecure/support/verif/EN_en/02-2019
68. http://emaildatabank.com/gnmvu-4uin4m-zmnuz.view
69. http://excelparts.com.pk/pvwm-gg48yb-mjtvd.view
70. http://eyestopper.ru/g2q8-lg1nk0-itcr.view
71. http://frazer.devurai.com/rf4x-88d32b-vxcm.view
72. http://hayalbu.com/sendincencrypt/service/trust/en_EN/2019-02
73. http://icon-eltl.unila.ac.id/ioqmh-mr89or-nwuf.view
74. http://icspi.ui.ac.id/sendincencrypt/messages/trust/En_en/022019
75. http://insolution.co/qtp70-rwwqo-ljob.view
76. http://jamais.ovh/doc/Inv/TYbL-Pk_At-51
77. http://jrankerz.com/yodm-gwhd3-poqr.view
78. http://kenjosh.xyz/8f21c-58yryc-jzty.view
79. http://koszulenawymiar.pl/im9f-4aycvi-hyve.view
80. http://lar.biz/sendincsec/service/verif/en_EN/022019
81. http://leaf.eco.to/teamail/i/vagqr-e9y4u-kczsv.view
82. http://legits.net/sendincencrypt/service/ios/en_EN/201902
83. http://lojamariadenazare.com/8vvqk-3i8l1-znpuu.view
84. http://machebella.com.br/jsoln-mu4e9-wvdza.view
85. http://mailysinger.info/fo01-571onr-qpzoz.view
86. http://mantra4change.com/wp-content/uploads/sendincsec/support/question/En_en/02-2019
87. http://mpgestaodepessoas.com.br/sendinc/support/ios/En_en/2019-02
88. http://municipalismovalenciano.es/US/Bavl-scIE_MHkrBon-unA
89. http://musicatemporis.recordtogo.com/sendincencrypt/support/secure/EN_en/201902
90. http://nhinfotech.com/nz7t-z45ns-ezpje.view
91. http://oesfomento.com.br/sendinc/service/ios/En/201902
92. http://oticasvitoria.net/sendincencrypt/service/sec/En/201902
93. http://otojack.co.id/wp-content/uploads/sendincsec/legal/ios/En_en/201902
94. http://pbj.undiksha.ac.id/wp-content/uploads/sendincverif/support/trust/en_EN/02-2019
95. http://phy.mbstu.ac.bd/sendincverif/messages/ios/En/02-2019
96. http://privateinvestigatormiamibeach.com/US_us/ZVbJQ-VVAP_YtuMZao-gx
97. http://punjabanmutyaar.com/sendincverif/legal/question/En/201902
98. http://renbridal.vn/En/Copy_Invoice/55253955/yyPeo-C0A_sTAf-EdO
99. http://satofood.net/sendincsecure/service/ios/En_en/201902
100. http://setimosacramento.com.br/llc/New_invoice/DSlDH-teuvx_TdoVresJy-ZtR
101. http://slot-tube.cn/US_us/download/tNBw-YZ1_WfKZjpFLN-st
102. http://students2019.com/En_us/scan/144400157/xJgdN-ZyU0i_eF-8U5
103. http://tahatec.com/US/company/Copy_Invoice/YUXZ-XA_XwU-EDR
104. http://tahrazin.com/196664050005/Zglk-MfW_S-cif
105. http://tbilisiperforming.com/wp-content/EN_en/dbhz-wR5_Tbk-gC
106. http://thietkewebwp.com/wp-content/uploads/corporation/Copy_Invoice/cGjw-GTw6H_e-Cc
107. http://toko.kojyou-project.com/EN_en/download/QLPUt-qZanw_JyZRYHp-a39
108. http://umquartodecena.com/EN_en/xerox/Inv/ziol-8kX_fO-S8
109. http://www.timothymills.org.uk/pt7b-7rpbqh-dzidk.view
110.  
111. DOCUMENT FILE HASHES
112. 0540149985187970b670fd5a70fbe8d5
113. 07b43c3c4f58156bd585fc82952d52c8
114. 09063c17ab0efab1515e821f1728d766
115. 160e2bf30b8c3ea6e49c035f9a449776
116. 2dc9c75982f9172c7c0a4265dda83275
117. 304f915bed575523952cca9ab840402d
118. 31974af9c1f72149379a075442f177e3
119. 39cdc1d3807e43712095963d97811554
120. 5fec5d5332b514804d2f801cbb028410
121. 6c15a16aaeb3a31cdea8cb072bbfbbc5
122. 7393347403f99c28bc84b3e5969435f7
123. 7cd116abcd20c0ce8429f7dc010ad0bc
124. 9110918d37a5aedc6449c9e67ced4345
125. c5a25825d4be8d1c70ed45383ffd0463
126. e6611d35f9be422c76f7eacd570437f0
127. fdf29e671102189688ad095882f7cede
128.  
129. EMOTET PAYLOAD
130. http://103.11.22.51/wp-content/uploads/yoarKX9
131. http://13.126.28.98/hPwXcgCZBx
132. http://13.229.153.169/vLm7bTI1bXxCI8Tn_5hh7
133. http://159.65.146.232/ugitr4t4L
134. http://159.65.65.213/iz1Cc1GhZ
135. http://23.23.29.10/YaXUeO5K
136. http://3.89.91.237/MLCMkrc
137. http://34.207.179.222/7SQrziN
138. http://35.204.88.6/heu0n72I
139. http://acdhon.com/wvJZL4qzJvJ
140. http://caminaconmigo.org/wp-content/uploads/q7wmIj0
141. http://canhocaocap24h.info/JelJh5aIRIOmyK2
142. http://emirates-tradingcc.com/wp-content/XUMY1h33zJ
143. http://healthytick.com/wp-content/uploads/j900PD5h
144. http://ibakery.tungwahcsd.org/media/m8PnOehN8bW5h3q
145. http://iso-wcert.com/JREjsr1Ai
146. http://japanijob.com/UUC8iEfIfb
147. http://neumaticosutilizados.com/tpexfplWv
148. http://saigonthinhvuong.net/NuqnyGVMdzOnA
149. http://uat-essence.oablab.com/wp-includes/oY8j241xM