Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ANALYST NOTES
- Oddly, today I saw no Emotet malspam but I did receive 1 email that I thought was going to be Emotet.
- The email claimed to be a "notification" and the text of the email claimed that the attached file was a bill.
- The email was clumsily worded but that was not unexpected.
- The attachment was named Invoice-JVUIFtl.doc.
- The Word document was using the teal document template that I've seen Emotet using periodically in recent days.
- The document had a few document object artifacts in the upper left as we've also seen lately with Emotet.
- When the VBA macros ran, the result was an attempt to download a file from a payload "trio".
- I still thought it might be Emotet and the threat actors were using a "trio" instead of the usual "payload quintet".
- When I looked more closely at the URLs, however, it was apparent that this was not Emotet.
- The payload URLs were trying to download a file named waterMark.bin.
- A closer look at the Powershell script shows that the file is then being renamed with a .exe extension and launched.
- X-MS-Exchange-Organization-Originating-Country: RU
- SUBJECTS OBSERVED
- Notification_96793020
- SENDERS OBSERVED
- info@xenompotanpollswecheapp.club
- SENDER IPs OBSERVED
- 193.233.72.177 (Russia)
- DRIDEX PAYLOAD DISTRIBUTION URLS FROM POWERSHELL/VB
- http://vaigacafe.com/app/webroot/assets/images/about/team/waterMark.bin
- http://bienangel.com/bienangel/templates/beez3/html/com_contact/categories/waterMark.bin
- http://85.214.32.153:8080/2tK59px0yrPP49Xp14fRx50c
- WORD DOCUMENT FILE HASH
- 9011d9e0360ee2d29feedfa5a505651a
- DRIDEX EXE FILE HASH
- 0dad665d561bacd1fdc5750f14f1b437
- SUPPORTING EVIDENCE
- https://urlhaus.abuse.ch/url/205806/
- https://urlhaus.abuse.ch/url/205805/
- https://www.virustotal.com/gui/file/2c04c849908e241a87084ca254309fd8a74a8b744928f1a2dc2c081ae241a436/detection
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement