-
Notifications
You must be signed in to change notification settings - Fork 25
/
2021-01-20-IOCs-from-Emotet-epoch1-infection.txt
74 lines (61 loc) · 3.59 KB
/
2021-01-20-IOCs-from-Emotet-epoch1-infection.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
2021-01-20 (WEDNESDAY) - EMOTET (EPOCH 1 BOTNET) INFECTION ACTIVITY
CHAIN OF EVENTS:
- malspam --> password-protected ZIP archive --> Word doc --> enable macros --> Emotet --> Trickbot and spambot activity
EMAIL HEADERS:
Received: from svrinterweb.ministeriopublico.gob.ni (svrinterweb.ministeriopublico.gob.ni. [200.85.167.254])
by [recipient's mail server] with ESMTPS id v16si557563vsm.41.2021.01.20.07.21.32
for <[recipient's email address]>
(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
Wed, 20 Jan 2021 07:21:33 -0800 (PST)
Received: from [10.0.0.15] (unknown [190.166.119.159])
by svrinterweb.ministeriopublico.gob.ni (Postfix) with ESMTPSA id 8A7041984993
for <[recipient's email address]>; Wed, 20 Jan 2021 09:21:24 -0600 (CST)
Date: Wed, 20 Jan 2021 11:21:26 -0400
From: "[spoofed sender name]" <[email protected]>
To: "[Recipient's name]" <[recipient's email address]>
Subject: Re: Re: [subject line info removed]
MIME-Version: 1.0
Attachment filename: AN143221 200121.zip
MALWARE:
- SHA256 hash: 6b7d3ba4c4f52dddaaa9416e03d81f1ce974a10443c1b15f8651aa869d938e58
- File size: 162,304 bytes
- File name: AN143221 200121.zip
- File description: password-protected ZIP archive attached to email
- File note: Password for ZIP attachment is 4432
- SHA256 hash: 1376ccfbd0ddc8fbd523d646b424e2436d96e7a7dbebf71d16ac4e54cef4624d
- File size: 162,304 bytes
- File name: AN143221 200121.doc
- File description: Word doc with macro for Emotet (epoch 1 botnet)
- SHA256 hash: b5abacf24ae5aa96016c09f71a78d0121fff396d6154740eab622c4751e1764f
- File size: 356,696 bytes
- File location: hxxp://senbiaojita[.]com/wp-admin/iDlsc/
- File location: C:\users\[username]\Ijzffo8\Y77J.dll\Y77J.dll
- File location: C:\users\[username]\Local\Aibevs\jbcss.nfg
- File description: malware DLL for Emotet from its epoch 1 botnet
- Run method: rundll32.exe [filename],DUabvWmG
- Run method note: ASCII string for DLL entry point can be any string of characters.
- SHA256 hash: 97aa05fceef261ee4ca00025a69280b8f9843ba6531a48ee543eed1f37af8c27
- File size: 1,288,944 bytes
- File location: hxxp://149.56.80[.]23/images/picture.png
- File location: C:\Users\[username]\AppData\Roaming\Comboboot7559513311\jbcss.exe
- File description: Trickbot EXE, gtag mor1
- Run method: Scheduled task using launcher.bat to run Trickbot EXE
EMOTET TRAFFIC:
- 125.65.108[.]71 port 80 - senbiaojita[.]com GET /wp-admin/iDlsc/
- 181.10.46[.]92 port 80 - 181.10.46[.]92 - various HTTP POST requests
- 206.189.232[.]2 port 8080 - 206.189.232[.]2:8080 - various HTTP POST requests
- 37.187.195[.]209 port 443 - 37.187.195[.]209:443 - various HTTP POST requests
- 165.22.93[.]5 port 8080 - 165.22.93[.]5:8080 - various HTTP POST requests
- various mail server IP addresses - various SMTP ports - spambot traffic'
- various IP addresses - TCP ports 80, 443, 8080, etc - attempted TCP connections
TRICKBOT TRAFFIC:
- 83.151.14[.]13 port 443 - HTTPS traffic
- 107.191.61[.]39 port 443 - HTTPS traffic
- 195.123.240[.]236 port 447 - HTTPS traffic
- port 443 - ident[.]me - HTTPS traffic (connectivity check by infected windows host)
- 149.56.80[.]23 port 80 - 149.56.80.23 GET /images/picture.png
- 190.106.105[.]50 port 80 - 190.106.105[.]50 - POST /mor1/[ASCII string with host idenfiers]/81/
- 190.152.2[.]86 port 80 - 190.152.2[.]86 - POST /mor1/[ASCII string with host idenfiers]/81/
- 190.106.105[.]50 port 80 - 190.106.105[.]50 - POST /mor1/[ASCII string with host idenfiers]/90
- 190.152.2[.]86 port 80 - 190.152.2[.]86 - POST /mor1/[ASCII string with host idenfiers]/90
- Various IP addresses - TCP ports 443 or 447 - attempted TCP connections