-
Notifications
You must be signed in to change notification settings - Fork 11
/
2022-03-03-IOCs-for-Emotet-epoch4-with-Cobalt-Strike.txt
74 lines (56 loc) · 3.16 KB
/
2022-03-03-IOCs-for-Emotet-epoch4-with-Cobalt-Strike.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
2022-03-03 (THURSDAY) - EMOTET EPOCH 4 INFECTION WITH COBALT STRIKE
REFERENCE:
- https://twitter.com/Unit42_Intel/status/1499836096749969418
EMAIL HEADERS:
- Received: from mbkd5118.ocn.ad[.]jp (mbkd5118.ocn.ad[.]jp [210.163.237[.]19])
- Received: from mf-smf-unw002c1.ocn.ad[.]jp (mf-smf-unw002c1.ocn.ad.jp [153.138.219[.]69])
- Received: from ocn-vc-mts-204c1.ocn.ad[.]jp ([125.206.160[.]20])
- Received: from ocn-sdpx-mts-106c1.ocn.ad[.]jp ([211.16.10[.]147])
- Received: from [83.149.169[.]122] (unknown [83.149.169[.]122])
- From: [spoofed sender name] <[email protected][.]jp>
- Subject: RE:
- Message-ID: <[email protected][.]jp>
- Attachment name: Form - Mar 03, 2022.xlsm
EMAIL ATTACHMENT:
- SHA256 hash: a962e9bd50bc35620f3faac38c064389b7bab79eb497ddd84f83bf2e39033e18
- File size: 46,701 bytes
- File name: Form - Mar 03, 2022.xlsm
- File description: Excel file with macro for Emotet epoch 4
URLS GENERATED BY ABOVE EXEL MACRO CODE FOR EMOTET EPOCH 4 DLL:
- hxxp://piajimenez[.]com/Fox-C/dS4nv3spYd0DZsnwLqov/
- hxxp://inopra[.]com/wp-includes/3zGnQGNCvIKuvrO7T/
- hxxp://biomedicalpharmaegypt[.]com/sapbush/BKEaVq1zoyJssmUoe/
- hxxps://getlivetext[.]com/Pectinacea/AL5FVpjleCW/
- hxxp://janshabd[.]com/Zgye2/
- hxxps://justforanime[.]com/stratose/PonwPXCl/
EMOTET EPOCH 4 DLL:
- SHA256 hash: 0758b3cde229886a039202120cda4485426c56eed3596be75fbce0d38986bf03
- File size: 638,976 bytes
- File location: - hxxp://piajimenez[.]com/Fox-C/dS4nv3spYd0DZsnwLqov/
- File location: C:\enu.ocx
- File location: C:\Users\[username]\AppData\Local\Snirakw\pzgi.por
- File description: Windows DLL file for Emotet epoch 4
- Run method: regsvr32.exe /s [filename]
FOLLOW-UP MALWARE (COBALT STRIKE):
- SHA256 hash: 9f968a4a386057575174533e82c2eeb0b39c1875a07b6a8d1a8124962abe11e7
- File size: 673,792 bytes
- File location: C:\Users\[username]\AppData\Local\Snirakw\dehpaxvktbwu.exe
- File description: Windows EXE file for Cobalt Strike
- Post-infection traffic: hxxps://gfsert[.]com/jquery-3.3.1.min.js
- SHA256 hash: 100e1dc124dc6131617b5610ee750e529cda80fcaf0ee5437b3e27db150ee860
- File size: 1,202,176 bytes
- File location: C:\Users\[username]\AppData\Local\Snirakw\rahgobkzm.dll
- File description: Windows DLL file for Cobalt Strike
- Run method: regsvr32.exe /s [filename]
- Post-infection traffic: hxxps://zxerm[.]com/jquery-3.3.1.min.js
TRAFFIC FROM AN INFECTED WINDOWS HOST:
- 144.208.73[.]119 port 80 - piajimenez[.]com - GET /Fox-C/dS4nv3spYd0DZsnwLqov/
- 139.180.205[.]161 port 443 - attempted TCP connections
- 209.15.236[.]39 port 8080 - attempted TCP connections
- 195.154.253[.]60 port 8080 - attempted TCP connections
- 217.182.143[.]207 port 443 - HTTPS traffic
- 217.79.180[.]211 port 8080 - HTTPS traffic
- 139.60.160[.]52 port 443 - gfsert.com - hxxps://gfsert[.]com/jquery-3.3.1.min.js
- 139.60.161[.]53 port 443 - zxerm.com - hxxps://zxerm[.]com/jquery-3.3.1.min.js
- 45.77.212[.]132 port 444 - (formatordpink[.]com) - hxxps://formatordpink[.]com/tab_shop.js
- NOTE: Could not find an associated Cobalt Strike binary for traffic on 45.77.212[.]132 over TCP port 444.