Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- EMOTET NOTES - 2019-02-27
- Saw a slow start to the day and then volume jumped at around 2:00 pm.
- Significant changes to the Emotet macro usage were observed today.
- Macro code is now spread out over the AutoOpen macro and 3 additional Modules.
- However, the command code is stored as a text property of a TextBox object on a user form.
- The only obfuscation being used is replacing "http" in the payload URLs with a nonsense string.
- All documents are using the blue/grey Word template.
- The only file attachments that I saw today were .DOC files - no PDFs.
- All of the Word document files that I saw were actual Word documents - no XML files.
- All Word document files from this afternoon begin with Acc- or Acc_ (can be all upper or lowercase).
- Late this afternoon, I downloaded two new Emotet .DOC files and they were zipped (indicating they were likely .DOCX)
- Many of the document download URLs are in the form "string-string-string.view".
- There seemed to be very low detection rates of the Word documents by AntiVirus vendors (McAfee, for sure).
- Here are the IOCs that I either found or collected:
- MALDOC DISTRIBUTION URLS
- http://01asdfceas1234.com/a8iak-jgp3hj-mojzf.view
- http://104.223.40.40/wp-admin/my0m0-gnthea-trto.view
- http://109.97.216.141/dyrb-x1hjw-oepj.view
- http://12pm.strannayaskazka.ru/oow6-bz46h-kane.view
- http://13.127.212.245/6qjyn-g94xs-zeicf.view
- http://13.211.153.58/8wsh-smllpg-xnzdx.view
- http://13.234.1.52/sendincverif/legal/question/En_en/201902
- http://13.251.226.193/sendincverif/support/question/En_en/02-2019
- http://159.65.142.218/wp-admin/q5b8-jd6q6-jzfu.view
- http://178.128.54.239/2wsb-8t237v-vkxq.view
- http://178.62.63.119/cr6g-34dfz-mpupi.view
- http://18.223.205.30/0r8o-ns4l5f-qtcg.view
- http://18.232.11.96/8t71-ui9ht6-uelxv.view
- http://183.179.198.165/p7fle-3rdesj-bddr.view
- http://18930.website.snafu.de/qu6d-v4lnw-jufkf.view
- http://192.241.218.154/2c3a-bpnq07-jjde.view
- http://206.189.154.46/rixg-sujpf-fegbj.view
- http://206.189.181.0/y5ci-9nntk-wybaz.view
- http://3.0.82.215/7j5g-9i3o2-yjhc.view
- http://3.16.174.177/vf9h-i1ee8-atbe.view
- http://34.242.190.144/sendincsecure/messages/sec/En/2019-02
- http://35.231.137.207/r3jy-qcg2n2-udnfp.view
- http://35.233.127.71/zjed1-iae7t-kdzwv.view
- http://47.74.7.148/veqv-e945w-jpkh.view
- http://50.53.45.102/sendincsec/legal/secure/EN_en/022019
- http://52.32.197.6/nanolumens/resources/8won5-8vavn-bdwko.view
- http://54.233.125.210/k8y7-r0p2tp-ibbau.view
- http://80smp4.xyz/De/IPZWFMKCWW6650138
- http://88.191.45.2/@eaDir/@tmp/79fk3-g90qy-pljw.view
- http://9casino.net/En/document/Invoice/4310615934247/aDrn-Sj7_TZhEz-WjZ
- http://ameen-brothers.com/cgi-bin/fqhe-aQ8_xELqzU-k0b
- http://ammedieval.org/wp-includes/0n8cz-gs36t-xhlf.view
- http://andrepitre.com/sendincverif/legal/verif/EN/2019-02
- http://arvd.begrip.sk/20jg-6sc6gb-buzh.view
- http://avent.xyz/kc48-4x1o8-ybkw.view
- http://basr.sunrisetheme.com/03dtc-pxqrlw-sjvs.view
- http://beautyandfashionworld.com/074l-zvq2fa-mtpg.view
- http://belgrafica.pt/5gg2a-hixf6-rtxq.view
- http://blog.piotrszarmach.com/urilf-8t6kpt-quzah.view
- http://blogmiranda.inces.gob.ve/zzsm-qqz8fm-fhtu.view
- http://bookoftension.com/j4de6-53df2h-exle.view
- http://broombroom.in/n3et-qje8bt-meoal.view
- http://bsa.bcs-hosting.net/7qie-aiyqb-zmrxw.view
- http://cetcf.cn/sendincsec/messages/question/En_en/201902
- http://citylink.com.pk/h53n9-picx6-rzlyj.view
- http://cotafric.net/wp-content/uploads/mqex-6ftnhq-wrsir.view
- http://crab888.com/bxiw-e556c-hkgdg.view
- http://crmz.su/Telekom/Transaktion/022019
- http://disperkim.kalselprov.go.id/d2l7h-ncojqd-xlub.view
- http://dunnascomunica.com/dv9x-33toih-rsoew.view
- http://eduapps.in/wp-content/uploads/sendincsecure/support/verif/EN_en/02-2019
- http://emaildatabank.com/gnmvu-4uin4m-zmnuz.view
- http://excelparts.com.pk/pvwm-gg48yb-mjtvd.view
- http://eyestopper.ru/g2q8-lg1nk0-itcr.view
- http://frazer.devurai.com/rf4x-88d32b-vxcm.view
- http://hayalbu.com/sendincencrypt/service/trust/en_EN/2019-02
- http://icon-eltl.unila.ac.id/ioqmh-mr89or-nwuf.view
- http://icspi.ui.ac.id/sendincencrypt/messages/trust/En_en/022019
- http://insolution.co/qtp70-rwwqo-ljob.view
- http://jamais.ovh/doc/Inv/TYbL-Pk_At-51
- http://jrankerz.com/yodm-gwhd3-poqr.view
- http://kenjosh.xyz/8f21c-58yryc-jzty.view
- http://koszulenawymiar.pl/im9f-4aycvi-hyve.view
- http://lar.biz/sendincsec/service/verif/en_EN/022019
- http://leaf.eco.to/teamail/i/vagqr-e9y4u-kczsv.view
- http://legits.net/sendincencrypt/service/ios/en_EN/201902
- http://lojamariadenazare.com/8vvqk-3i8l1-znpuu.view
- http://machebella.com.br/jsoln-mu4e9-wvdza.view
- http://mailysinger.info/fo01-571onr-qpzoz.view
- http://mantra4change.com/wp-content/uploads/sendincsec/support/question/En_en/02-2019
- http://mpgestaodepessoas.com.br/sendinc/support/ios/En_en/2019-02
- http://municipalismovalenciano.es/US/Bavl-scIE_MHkrBon-unA
- http://musicatemporis.recordtogo.com/sendincencrypt/support/secure/EN_en/201902
- http://nhinfotech.com/nz7t-z45ns-ezpje.view
- http://oesfomento.com.br/sendinc/service/ios/En/201902
- http://oticasvitoria.net/sendincencrypt/service/sec/En/201902
- http://otojack.co.id/wp-content/uploads/sendincsec/legal/ios/En_en/201902
- http://pbj.undiksha.ac.id/wp-content/uploads/sendincverif/support/trust/en_EN/02-2019
- http://phy.mbstu.ac.bd/sendincverif/messages/ios/En/02-2019
- http://privateinvestigatormiamibeach.com/US_us/ZVbJQ-VVAP_YtuMZao-gx
- http://punjabanmutyaar.com/sendincverif/legal/question/En/201902
- http://renbridal.vn/En/Copy_Invoice/55253955/yyPeo-C0A_sTAf-EdO
- http://satofood.net/sendincsecure/service/ios/En_en/201902
- http://setimosacramento.com.br/llc/New_invoice/DSlDH-teuvx_TdoVresJy-ZtR
- http://slot-tube.cn/US_us/download/tNBw-YZ1_WfKZjpFLN-st
- http://students2019.com/En_us/scan/144400157/xJgdN-ZyU0i_eF-8U5
- http://tahatec.com/US/company/Copy_Invoice/YUXZ-XA_XwU-EDR
- http://tahrazin.com/196664050005/Zglk-MfW_S-cif
- http://tbilisiperforming.com/wp-content/EN_en/dbhz-wR5_Tbk-gC
- http://thietkewebwp.com/wp-content/uploads/corporation/Copy_Invoice/cGjw-GTw6H_e-Cc
- http://toko.kojyou-project.com/EN_en/download/QLPUt-qZanw_JyZRYHp-a39
- http://umquartodecena.com/EN_en/xerox/Inv/ziol-8kX_fO-S8
- http://www.timothymills.org.uk/pt7b-7rpbqh-dzidk.view
- DOCUMENT FILE HASHES
- 0540149985187970b670fd5a70fbe8d5
- 07b43c3c4f58156bd585fc82952d52c8
- 09063c17ab0efab1515e821f1728d766
- 160e2bf30b8c3ea6e49c035f9a449776
- 2dc9c75982f9172c7c0a4265dda83275
- 304f915bed575523952cca9ab840402d
- 31974af9c1f72149379a075442f177e3
- 39cdc1d3807e43712095963d97811554
- 5fec5d5332b514804d2f801cbb028410
- 6c15a16aaeb3a31cdea8cb072bbfbbc5
- 7393347403f99c28bc84b3e5969435f7
- 7cd116abcd20c0ce8429f7dc010ad0bc
- 9110918d37a5aedc6449c9e67ced4345
- c5a25825d4be8d1c70ed45383ffd0463
- e6611d35f9be422c76f7eacd570437f0
- fdf29e671102189688ad095882f7cede
- EMOTET PAYLOAD
- http://103.11.22.51/wp-content/uploads/yoarKX9
- http://13.126.28.98/hPwXcgCZBx
- http://13.229.153.169/vLm7bTI1bXxCI8Tn_5hh7
- http://159.65.146.232/ugitr4t4L
- http://159.65.65.213/iz1Cc1GhZ
- http://23.23.29.10/YaXUeO5K
- http://3.89.91.237/MLCMkrc
- http://34.207.179.222/7SQrziN
- http://35.204.88.6/heu0n72I
- http://acdhon.com/wvJZL4qzJvJ
- http://caminaconmigo.org/wp-content/uploads/q7wmIj0
- http://canhocaocap24h.info/JelJh5aIRIOmyK2
- http://emirates-tradingcc.com/wp-content/XUMY1h33zJ
- http://healthytick.com/wp-content/uploads/j900PD5h
- http://ibakery.tungwahcsd.org/media/m8PnOehN8bW5h3q
- http://iso-wcert.com/JREjsr1Ai
- http://japanijob.com/UUC8iEfIfb
- http://neumaticosutilizados.com/tpexfplWv
- http://saigonthinhvuong.net/NuqnyGVMdzOnA
- http://uat-essence.oablab.com/wp-includes/oY8j241xM
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement