Threat Analysis: Word Documents with Embedded Macros Leveraging Emotet Trojan

EMOTET_LEAD
JaredMyers-128x128
pic-Brett-WIlliams1
August 28, 2017 / Jared Myers Brett Williams

Many customers have recently asked how Carbon Black’s solutions detect macros and droppers (specifically referencing Emotet dropper files). Customers often say that macros and droppers are an ongoing problem in their environments. (They are also seen day-to-day by most practitioners.)  

The analysis covered in this blog focuses on a malicious carrier file (a Word document with embedded macros), which uses the Emotet trojan to create and execute additional malware on the system.  The technique is fairly simple for  attackers to assemble and deploy (typically via email), yet still effective and potentially very damaging.

This general approach has been observed in advanced attacks and is also commonly used by less skilled (or less resourced) attackers. Regardless of the ultimate malicious payload, the intentions, or skill sets of the attacker in a multi-stage process (as is detailed in this report), it is important to catch the attack during its earliest stages.

Having visibility into your endpoints (and  understanding what is normal inside your environment) allows practitioners and the tools that enhance their skills to detect malicious or suspect actions.  

This blog describes the technical details of what is occurring in a relevant attack and then focuses on how you can utilize tools to catch these and other techniques and malware families.  The YARA signature and associated IOCs are being provided to help other researchers and practitioners.  The Carbon Black product specific rules and policies are provided in the Carbon Black User Exchange.

Technical Analysis

The metadata for the document analyzed in this article is listed in the table below.  

File Name       : Invoice.doc

File Size       : 70,144 bytes

MD5             : 8991411f6e9d9dd372aff85dda20e89f

SHA1            : dbe34b8c1ed3e4a38ee67b6891dd79cfb169a973

SHA256          : 20ca01986dd741cb475dd0312a424cebb53f1201067938269f2e746fb90d7c2e

Magic           : CDF V2 Document Code page: 1252

Word Metadata    

  Create Date    : 2017:08:22 03:15:00

  Modify Date    : 2017:08:22 10:33:00

Document Metadata

At the time this was written the file had very low coverage score (6/58).

Overview

If the user opens the document, they are presented with an image that is typical of malicious Word documents that utilize macros to initiate the process.  The image (depicted below) instructs a user how to enable the content of the document, which can be necessary to execute the macro content.

Document Screenshot

 

 

Stage 1

The document has an embedded Macro.  The image below depicts the VBA storage highlighted in red, displayed as streams in the oledump output (oledump.py -i [path to file]).

Overview of Ole Streams

 

When Stream 9 is viewed (oledump.py -s9 -v [path to file]), it displays the VBA project root which declares the VB Attribute name (displayed in red).

Overview of VBA Project Root

 

When Stream 8 is viewed (oledump.py -s8 -v [path to file]), the actual Macro code is visible, which an excerpt of is displayed in the image below.  This code contains numerous junk instructions and functions (highlighted in red) in an attempt to prevent straightforward analysis of the VBA code.

Overview of Uncompressed Macro

 

Stage 2

The image below has the junk instructions removed and is commented for easier analysis.  There are two functions that are used, the main one is called by the Sub autoopen() instruction located in lines 3 through 5.

Relevant VBScript Code

 

The code will first build two main strings (highlighted in red and blue) by calling the Public function (CYCbzCYCbzCYCbzCYCbzCYCbz) located at line 7.  This function is responsible for retrieving the Document’s Custom properties which are stored as a text type with a paired Name and its corresponding Value.  

Each time the function (CYCbzCYCbzCYCbzCYCbzCYCbz) is called it will retrieve the value for the Name value being passed into the function (the first in line 12 is the name value AGFvfLAGFvfLAGFvfLAGFvfLAGFvfL).  These values are then concatenated together to form a string, which if not obfuscated in a manner like this could be deemed suspicious.  The strings “wscript.shell” and “powershell -e” are the strings created by theses instructions.  The image below depicts the Custom properties section of the document, some of the relevant string values are highlighted in red.  The Custom properties section also contained junk name and value pairs, which are not called by the VB script.

Document Custom properties

 

Once the VB script creates the above referenced strings it will then retrieve the contents of the Comments value from the document’s properties (highlighted in green in the image below).

Relevant VBScript Code

 

The data in the comments section is a base64 encoded string that is concatenated with the previously created “powershell -e” string.  The base64 encoded string is displayed in the two images below, the left image is how it would appear from the properties dialog box and the right picture is an excerpt of the data from a hex editor.  This encoded string and the previously created strings are then used in a command to create a COM object (highlighted in yellow).

embedded Comments section

 

 

The created string will ultimately run PowerShell, decoding the string in memory.  The COM object is created using the string in the table below.  It should be noted that when created with the 0 flag (highlighted in red) the executed command will not be visible to the user.

CreateObject(wscript.shell).Run(powershell -e [base64 encoded Comments String], 0)

Stage 3

The base64 encoded Comments string can be decoded and is depicted in the image below.  This string is also obfuscated to make analysis more difficult.

Base64 decoded Script Code

 

The below image depicts the same code cleaned up for for easier analysis.  You can clearly see where the PowerShell command will create several objects and then attempt to download a file from one of the five URLs.  The file that is downloaded will then be saved to the current user’s Temporary Files (Temp) path with a pseudorandom numerical file name (between the values 1 and 65536), before being executed.

Deobfuscated Script Code

 

At the time that this analysis was written only three of the five URLs would resolve.  In all three cases the same file was downloaded.  The metadata for that file is listed in the table below.  The file’s coverage has increased from 13/64 on August 22 (when this campaign began) to 35/64 on August 23.

File Name       : SecondStage_Payload

File Size       : 98,304 bytes

MD5             : d055979805304e7db6b25d92fba54b4a

SHA1            : 74e28e34eac0b8d7da572dd54b695be8700c38c7

SHA256          : 9efc9f2afa2f2cd1a598f1197d565e17aeb6eb94665c4a5b126343f1d5fad151

Compiled Time   : Tue Aug 22 06:30:34 2017 UTC

PE Sections (9) : Name       Size       MD5

                 .text      12,288     158674fbd1540164a934c19515caa0b8

                 .rdata     4,096      5080d832145c8f8e44d82a2cbe579201

                 .data      4,096      2f0d1c80ba98cf69853b725116214431

                 iAvLAJGn   16,384     148de63e185c745bfdf8f154a4cd39ef

                 xE         20,480     8f5a2c9b4ec5864f63f19d65e4ad76af

                 DKwPCAj    12,288     1c54d77c4f4f01270767cb211f0b0091

                 +F+|O      8,192      bb0a09862916b69fe8cb9101adc5e431

                 oQ         12,288     6c873ae6f2459aed6301d63e925ca453

                 .rsrc      4,096      5587e5245e9c2e872e6b54a52ba74bdb

Magic           : PE32 executable for MS Windows (GUI) Intel 80386 32-bit

This second stage payload is an Emotet variant and will ultimately download additional implants onto the infected system. Because Emotet variants have be documented many times it will not be analyzed further in this article.  It should be noted that while Emotet was used in this scenario the second stage payload could have been any malware family.  Security practitioners should strive to detect and stop malicious actions before this phase of the attack, as malware families used in attacks are constantly being creating and evolving.

IOCs

Carrier Word Document

MD5

8991411f6e9d9dd372aff85dda20e89f

SHA1

dbe34b8c1ed3e4a38ee67b6891dd79cfb169a973

SHA256

20ca01986dd741cb475dd0312a424cebb53f1201067938269f2e746fb90d7c2e

Second Stage Payload

MD5

d055979805304e7db6b25d92fba54b4a

SHA1

74e28e34eac0b8d7da572dd54b695be8700c38c7

SHA256

9efc9f2afa2f2cd1a598f1197d565e17aeb6eb94665c4a5b126343f1d5fad151

 

Network Indicators

http://natech.com.br/wVZtWN/

http://era.lt/wUGfcJn/

http://omnisrecordings.com/HZKybTQwj/

http://net5.com.au/WZwgR/

http://laguapafilms.com/BVgUGBfots/

 

YARA Rule

 

rule Word_Emotet_Dropper_2017Aug : TAU Word Emotet VBA

{

meta:

author = “Carbon Black TAU”

date = “2017-August-22”

description = “Emotet Word Document Dropper utilizing embedded Comments and Custom Properties Fields”

yara_version = “3.5.0”

exemplar_hashes = “20ca01986dd741cb475dd0312a424cebb53f1201067938269f2e746fb90d7c2e, c7cab605153ac4718af23d87c506e46b8f62ee2bc7e7a3e6140210c0aeb83d48, 3ca148e6d17868544170351c7e0dbef38e58de9435a2f33fe174c83ea9a5a7f5”

strings:

$signature = {D0 CF 11 E0}

$base = /JAB7\w{100,}={0,2}/

$s1 = “BuiltInDocumentProperties”

$s2 = “CustomDocumentProperties”

$s3 = “Run”

$s4 = “VBA”

$s6 = “Comments”

$s7 = “autoopen”

$s8 = “Module1”

$s9 = “Picture 1” wide

$s10 = “JFIF”

condition:

$signature at 0 and

$base in (0x8200..0x9000) and

8 of ($s*)

}

 

Related Dropper Variant IOCs

 

MD5

SHA256

e7de7c5b0623ee1e9d7bf10a597d6aab

c7cab605153ac4718af23d87c506e46b8f62ee2bc7e7a3e6140210c0aeb83d48

afaa66bf7895fe2ece8cd210349bfec9

587a62f65721b1b367e785909ed1f9be705ea1a5ec74ad3e1df2192a167c55c3

158e958e488b5ba8404c87e34816de66

3ca148e6d17868544170351c7e0dbef38e58de9435a2f33fe174c83ea9a5a7f5

c27f11342b71d354eac16487bda291c5

69deaa9dc678c947afb8af5b4d7e3be22dc181c1b7312373c93d69f709bea34a

3b7f031d40a39a3f6fd0dbaf01697103

e687165805270cfdce9943fb1f8c85a6f8abcff36a87f7555be5ea604af44788

cd213d4d9aceca22a36b16b6557ca3fe

3d081fe6a220b546af09139fda7deceb5e7f16b52fb47d15ff4e69bab9175734

d92e56e06ba9a6af62661ca60b14b94a

e14472604877ad85c119703225fb6086053bcaa2ebae60d38762bbdd192e2244

9b91d2925dd7e4471101fc61dd5fc46d

6ea7a564a6a7ba8f4c97e2eaefbedafab6dd1424d56716f1255b03f8b5879161

34f86b2da35c647a5e01aa44057ca5f6

947ec2662ab377aca91f9ccb5b2a0e823ab5b814be719494c5cb8f0e7e228252

05a9858cd9b89b725006963d773fa1ae

e8290589cab3707f80ada754a31263e239b870dac5bdece15bf2e331cae5acf1

7025dd3b7cff6adb5083701cf00a25be

758a4e1ea1fc0c9846d21f643013fd934fd23b187ca1fd32c90334ff48a60372

b68fab0356e9b5412aaf20717f7c9a8a

5f1827ab138eb25289a1a76910f5dc9c96aed87dd8aa2db7e3b0d310267a5a67

b1fa4f285bd4c0515110b0cf9c1f6105

f989f65f74a998839f4665aa0e7583e5fda8af1eed5e48834e1bddfb39d3647a

a838f93f7a6f35ce04bef4aabf5044e0

4808a9fc9a33cf5df06d5a56f85b6e2dfdb8fc5fbb4cbd2ede05488dd566f6f5

f547f6e2cf0414b263f77bed680ecb30

4d34755b04248cc13ceb1e327253f315dcf72be04924d398351b565c4973aea9

cd3a6a2d3915a64ea6f1a1e11b5646a1

eb99cecc433a5134414024c98c227f52bae7660343a36469ccf0e6a8f5af4a6d

3be1c2f0af0c149b05091ff6d3cd1d58

29a7f99f81dd37bcbd196d635837c01d2aa48045ce4efd999a6d0da92bfbe917

66a5a97b485a48a51e5c71b3ed163c5a

cb21ef5b5d1713b3e9d2e5432a67c2a69f01efc423917cf451005f42f25574a8

bd50073bdec945ef27a5f3207d79f262

b6f8e0f751619011de9a76ff533bebbc82c99a843a97fbe01d175c75483194bb

3768fe74d8dbc7ecb7adf3da36a548b0

1692d89b960a63b8c9f4fc3048b72d2d9035179a830aa7d7d34cede592af083b

3078afd65e9b691dd070c17fe981b280

9b6d3e01584f4d1238a55050c7ffad0e14299e911db8497b81529bd58afa4bc7

ab210c06ffac47325abc1dacebbd2a43

6dc6070451995a7dae4d5b741e291ce525aec2cf3144d9fdb8484f39079ef9e2

c3f37a349add78cb13e2b1e5c702773f

8b94814acbb7991a56bcd6dad7bb4bae1fdb3befbc3521522bbf2ad7e122f784

6ef85716cfc24a424c4de5bbab0cb50f

ffc6c04d292e6618826bb09c8c63a06af3993e7b6b14171c45c7b44619b4421a

145a6d0d4b7b12b847c7d8ecc1147b1d

f429755b4dbd25761228a8d1b5acb81c53055b47960bb3aadbb6c03a6a7bfd5c

7a38982ee737b7ee829f67d7000a2b00

7a703a5e7f30a1621e204669ffefe91f22a1619814c4ef40872cd750cffb9125

3b0614e73394282ac3996098934d4cf8

eede64bfeab5807b8d5cd2812a88a02697a141714306ec8e3b582f0ecaf17c66

2f8222f053940fcf6436759762967f45

a30c8a2cac50bf6cb77a04097c9b4d6c6089eff66a2edebd4dfd77219db25b94

7050dc2f0678f0cd955dfe2b26310959

27e7a1deb1bbb0f77022d555b9ca5d9c7b5716ab444f1ba52644d464036bf52c

34cd3e23fdc582c1f70670e356ae877a

24abd675f46228821dffb294e4a37f73c807330ecd972379b8a29f10dcd47cfc

d42c838cc012925b6bbe43644092751a

8425f2cdba1902a83eec1b39535e100e20bb936fe2b3d391b4c5c3cd161331ec

f3e19146696752674c78ddb3b21cb8d2

d526ffe1710b4b39866bebceb3660e1386e41df17b13a6055078b0ce7db74fbe

3afc0911b32f240a4589a902e204a945

5624e26cace481fa4144f5ccd5bdcc7b5c3d42c035c88250312833041cf55807

e972a0ba3cc4c131c36d2ed910199076

a4692d62273960b017d80e2b3ee9befe9b186d0609dbf4aedd1dcaf6d3aef671

fab13a887c0ab39d971099cf40c3398f

bd7ed9514afabc723da282f32ad1dcfe81796a83555b7b4a6738dd0254c06ccd

c8f2f7e82ee5b0416f2ac265cbf2e8da

00845581ac1592992d87a894ed1c61add67e56bf69bdc9b1d3bac2ac75727dcd

de30c6ff05f944c0a9487451f69b9abb

8c4813043fa78b4aec7ada10556ddbe06eedbc81b115e4ff08371d8ee132d645

e254ba678a503216253a8831b7d997de

6c5db9a6ba05b43723764fb4b1c76a957aaed966bfab1bbe26b0261dd71848c9

b656b353955bf30289570727ab032cd8

31755c56408a13f44d620971a60342bb0170ad78217c923c518fe4b58b4da365

481a76f09eeef4cd68da96efa5321a60

d08c719c8ea6e5d7546e6449e6aed748ce74359e7c0dbd1f9bd08e2e8b795c68

23d89ceb5d9834dd2ad202949e696f9b

3fd0dca8a81c0a02b5d3757a6806447854683606bb8b6456e14b2328c0cede3d

09c2547faec5def76969da50521e3dda

5dd873a5cd07c4ac6edc7bfad7c92e1111cbddab5e72de96291e2990e0ab62e0

95a095a00455bc303387d2df6c44d4f1

27772ef48d027d7e23e1f78d8ea86cb1bbcf4240cd59a8dc7ebc82f8a3a8b6dd

0e27fc6e52b599e151a9eb0223b2ce6e

b0610f20ce7be29f5864a02d72bcfa54e215d3159bf381d05fac58d2fa703f0d

fb9c7a466c950f3c483a9e2d4eb05c55

ddfc1e80e8eb4c0ece096788b0ca80f9e2a2fa55011dd42e2deca7cf9e498c3e

d9abeb048a00bc9d5e9582d50735b268

5de158f2b9e0039b76588fd190565bcf4e02398ec8bff57d1c55bcc1626de5f3

b1c2aabced51d7fa1a7769a3456e8dc7

dcfddf26b9699622bde12c6b64a78e5446172e57c5a29c3ea0267a0df85bc1e3

b7ae96ba7a0518bb197d404d0ec6352a

9859e621b4d259798b2813377f9cd1736497f51cb501c6b3ea44ccae57d4e4fa

976e7a67fc7a5990074ccf7ffede113a

17bba5b4fbf997163f1f0f316b5bc08bd1cdde4e8c4211eb8d2bc151b48b546c

5d2d2f1d660aafc45a93d766622f5af6

e466e11eec88e9516ab75244c3bf157dd126082f2e185b93da74949863ac2c9b

404127505ee28104dec96cf102cd1a86

e5b46572e761304b3282e894eabd75a72cbec4bb53be401b8c1891939eab8154

232a768938ebe99f364e8d490e931d00

f39c631542e1b1b03569a689ccac7a8b39728f8f95dbdedd5464e6a37e102276

48121ab786ef0c2bf10c6098f39f82e8

f5c429e28762ba0f74426af3fb5fcd9d9cb27b604a305ce43e5504bad4504d3b

dfa5d2bba9fadff6f9cba53e0696cadc

6df0e797742382854d884c9a2de7b9bf89e5b6ab5994f24d2f9aed8b8d620afa

6b0da253db6bb71b419f23da94c0a0c7

44dc4861d3be3e9b1a994ff944bc7ef4f290964f0d52000169359fb03d47b4d5

7e9423c12947091c4b5f41654a1a5172

87873fde4e352f7332116031de02bbc176d204bd28566df47f7f0f1fb3a5f8fb

93a6182a6d48455bc911294cb461a379

b588aa1d5901e2ded7dfc9fe8efbd13304f2bed37086b5c9aa498fdffaed48ba

9815df5be6c44bf269d19c6b5afa22d9

20f460593fbf14cce4f868c46b1f962b2622ad017be711bbc3b815a900f8e3c7

852fe2e75d4131cd0de58ad6d623c0f8

0419cd8e5884e2918c5f0746d54efe2e2d9f0385523ecdbc395200df4004d87a

0f66aece479cecc416c1888db9d1cd17

37e79b45ee53bc266d3602ec2cb79762a3c6360b5c173e89da045491150dbfb1

cb354f22c0c835ab81a48bee0c639ef5

2aaf7791ed0a57e48c3d363b46ba5247e78a2290549bfd7f98793e9bee4c3e55

7820df7937afbc1ef18b3a18abcc7d9c

190cda0ade0c0348786652b7ee12fde595e12ab561d893224cfdafbd58ec7b75

0d0541abecae2601c01e070198ab7d6f

976c6ce6c484aef7d0d801c2f5ee31c984136d91636656a7e5425fbc4e848029

a071f7f613da5ae0a5f0f83febae64c2

e631b1dd070f71e53dd7b5c36a1921c027257f0c79bc7964551f27d0f4ece78b

bd2ae75ea106c3eaa0b080868c9b4b4a

69e2dd90da66dcac42a6ddc1e775ffbbe335ee12d2170fcb4d89d52a36e32b2d

6b404c9626d5ff15773e70eaf5e828a1

9be70c604d7f6b0ccfea3ecb647426aee6bf8b4b9cda5cad2571fae1017eba1f

372f877c900f6fdd3d14c9d451972eea

366f1f331e940a462447e2b4abe9196ae7b977d281c2b9fe5e19bb0c2927b705

1c90b3ba01aca0d7b8665046713a8bec

d076c672bdb9bd3b738edb882560482bebde469d02acd1ccda11e9c9cb6feaeb

2cff6bff7ad585b9e6e0b79fdc40edbd

0db7513e4ec8cea44afdce2d37991f5f9cbde0bb779856c10d9ffa75bed53d0f

2e05637abc17d9dda037ed9ee0c4f5c4

09f89667dbbd0f72478f317aed5196f743693190aa3afe1f1cfccc67dad88fb6

42e8f781e4202ad045d68689a194b344

fb8639fbf833f30d2194c428c7296737a8b8b3ff241fe2bf2f26d585d17ec54e

2f7441e9c30fae211c738c76293c2e25

0752a00c66125520f78673e70af10123cb5b78fe4786d368f7beb586d5ce3531

a5c2c47c97afd877389bb6a1320d60be

f9fa45d5498dd5384a58ada784ffe5802e52cda85afb9b7fe834e5a53f6ca5eb

9ee03ab5c8e4e73a29126e4937997e8b

d78bb30c87f90cd4cdfee3aa0cb6238277c4b6649e4d2ec8bc4e94de15d79b97

f094271e6c8a722492774a22b420749e

454ed2ca7a116ad34864d4e8b232dcb50c063ffbd70f23753262aabb6b34d24e

287c2bb9c1ced63562cc45a4560c4e77

b1e4e3be5dd686424763f39f8930e28044a9cda7a48d8962ba6e8978ef532fa0

9b5a159c5cd06cbb16735b5ffadc42bd

841c0394a1fb70ce57e89f345e907f39317a1ac26e30b66b0d830fc494fef7ad

2e8bbd0c8b7de7d5f4e541c192421451

07b47a4b71e008a8bc621325fe3a8410d9f1d2ff9dd4013cd7426f6cecace663

aed6baf45b19d45e63aff6f8b7bf0bd6

1e552d212c501db2c437e439ad26c04d2f58674851055e23d5e1caf241cba129

af2d4007a527e224d86713d6ee120c79

ab7246f268a83d41d1051c0b7f5d25ba9362a4ac3df54834c55bf1fcb8958b10

9dce5f03b45f332a44ac411379cc31a3

31b34ac21405f6450bef3c18249e83a7bc464dea5cd4fb239becfe0a800875a2

90111bcbf4624dd2947d87845e014b5b

922b9ddfac0e192b0e3369a81f138b5f12a7b6aee2a53702979dcc60ab7f05ab

b925cff7b8353debc7ede588bc720ea2

0cde2092044d23835220bc1a910cf446272fdb7197d6d62af68a10a705a1bf72

c9841f716752e0b751da6737002e2e18

168c49c8207019008bdf746d0fa4ab33a154277c5fe50fd4900e9d77ec6a2e7d

6926a83c4ad890e8e4b5d47273849ba4

b3dc9a164f1548ca0fd4618dbaae44c6a9ea05f66aafcf67758d9985b1409cb0

3d715e1b3585e488253f63af38b55661

7c474f3ea52f4da85bcb0596d80fc6db3cf9e9140f2ac789ca30255320d1b224

6f23cef17d1f1a9f1b2972f1e86aa7e6

cad134945e7f20e99efed18650d4a7c573f8902b32c10ae89639518f94e646d0

a7eb7af7ba012f5dca5536503be38b1f

af0971749118fc68770205309b440155889a8bbc1488922fae5a4d40d65a3809

b2dc50ecc318d6ebcba1a518105593a9

b05c34ffdc8c82862b408a1f628b21bb08362de4340d768a08c511132ce7d34d

ca8d0bce7c253674c7351b4d5180d593

bec41e3e8d3093b58170d743ca905af81ed745a4828a42a9d39cd3373252a84d

3b11cbc51f04dceee2bcf42e62a312e5

4e812653205426b75038ce2796be5b254b61ee02da376462f3ad1ac23d898282

4377385b36ee38c3c7189a62bb5637fe

3728cecd2be075b09a3a6d8d8c5923fe14cf381e3070266cf05fa51585def305

e9d4ae836827999c00fcb45bc5c69595

1f2b165e7c93f85a67be52ffb8a222389957fb979c0f8d93a8db5ac89abf7cfa

039b52b4638a8088c47214fdec37bbf7

425e004b3c9034aa17071b137ca1d4ae7a35dde5f588c05295e491b716125e2a

684d066946d95922f8727ee217406ad2

4db0f844118093e98b5ff6d5bb7f5d872def169357cfc8f45f27ae3a01e47e08

e7b2b379f6c18c23cb6e2efce2c2aa10

5df3016ba1cfd870d1d72e75ab9ec1d0a08a7e11d9fe7ec6b32fa0ce468206e7

f0a39d788b53d8c6ee03dc67c4e2d9be

0524147db311dedc4631e0749bb79865ac673763bd5ebc576855fcb9431de98b

fd086e90e4980be48055912c8d12f00c

8c43427b886d65c06a43f823511f0927b85dc5956dc7bd1bd16c59af548db6b8

67969a2971e05dd27eb1ee86e8aa2184

f20256df607a29ef83bd035ee27fc424307712e59298f54803150a88ea5c5ece

19caf486adadf70038b8205f2778ea99

9d52dd2437d0408e5971598b44c5dc1e1475004241bb5928d1eaee9a9aea51e1

620c943f834a463c9adb384867110c0e

c7132d49dfa4892008766ccd5224fcc8a2777bb268a3e69a7f1f86aabb6cb11e

953c926cda03a970a3dfa4f231de1944

32ac465484f2d411c70fe2150181b465be2978eb4f9dc39ef73339ab4dc668eb

b4baf2b93662876e350624fff631c85e

e90830b5b6ecbe09ec4d91e68a46b802ab0d4d0cd8295f352b53f1f901070af9

27ec07cc6604112df505132903b6c1cd

6bf1ec3bc2f0a97bdca700f02a99db02543fc00e6e9e88bbc444e56c4f74dfc5

867240603ed0748450be2b1b2d7a87d3

717f927b9c0b01a60eb94254d39ac5eeee24a2c10d0c59266252630202a36323

98e2266bd624e77261d0383fa149a0d3

712a907f98efa76de2b349c90084fbef6d40d9df32a41df98fc62e19fab5329d

4055189c66016223238c4289e2fd27f2

72e7e73b2cedc750af489c3fd403988bfe6cf6590fac1bf1f2e0a1ed73e82367

41ce32415f50b38285f84283eb66260a

bbe5988f2470a296186ca43a76636fceb523b45273a32e83aa14a8cc1f4e3a8e

280175d3d1f1710fb023454323ee56d2

acdae0dde63863e8be98935254c901439b5fc36fb45f974fd7ce7c298e3ca0ca

ce977e3cb1a67faec2ccd4973a72b350

9bbdd6efbab2b3b42768ec81bc645a4d3efbd3d8a089c06f9372080e2bc396e5

e628bd063c72ff46dc2a927ebc9db5ae

5aa31994bd8ea7c3bc7f4b59dd30fca4f4dae11abdc84a1367066467ed60257a

5c4cde05b083f94e7af8623038cbcbde

4cf480e7bab22fdd7d64c43d8f18c3c5358c25fbd063bc2d2855885b886718ac

893490aaed99e679ca5570b7bce8b85d

f6c2aea9dbc12ff2dbf77637560093234465cdae03c40ee4f0afcf8365ebfab7

578a44dec0e58d9545ce53453c205328

e92710c582f71c4a9cb127774fa4cce0d8abb837a38d50d22d17ef7061646c92

867c1b3d8fbede2e4d888330a624abdd

bf958c7ba44b9dfdcba50eeb6f7b59fe3bd2948f1ab1a7c8ee0f162b7cac3b2c

bc263607ca8bb3b5f27f21aad67f71c0

1f46b6556bc564edc9ebca5a9fa81ab68be0b75c036a06f077302d0641eb3e2d

f7be7a1dd9c78b40e3785e5cce5aceb3

c685f1c782e6b9250035f922ebc80400f2d6515e5f343a933c6c12920eb89e92

a6fd99393b519c8acde3d7e2c92edd17

b3fffd7e92a3bb920456b149717c353c8779e45a947c0e756889956c6bc48d7a

333b1bfc685eac9c35aba5786e63d996

d52318c1f83d086fcb94b8ae7288f2acb85f6e441c66a3f1d09365a1018c80bd

b56f91631190e6024dd3136ee0d4f289

d26ebbc2bdf6a6b59d805f7f1e9a9b505b6ff6e8b99e254f9c5c36413142d3f8

e2a9dd6751a2b8e81e78b0bfffd2881d

45112ef00b7d34a471655f3a7318fd2b69de1ade1889647839ff897c6e6f1c67

43edb49540267b83672428f2fec5fe8e

afbe272ae79106b25d4ecb05a157f1d6d2675bbc4ce4d689229da368693d3942

2ab698b733ab810f49f1986144a666e6

056bce922fab367aabfd43f5e85bb5397755db08afcc8c38d992ffb4fe8f766f

891cf7a1cb04a6f1e4dabe62240936c7

94395a2b7bd0a120b55e39b3107f934f9b76faa9e2679dbae1237f69f2c3f1b9

360d8986b66a44ecb0581538c4629d34

b1bdebd8dfcc3703a54cc4b52756f3dcf3ad3ab329a10eec7fe68b6ab964e2a1

881198803b04ec52cbd3423a2578c244

1496ddfb94f11120267fe9d6bf233ba4726754bebf3075340496a144777a6539

02522b84e5c8757aaea14c65627b3f7f

f2fbac0942b08720073373536520b471229c918474cabb63fd19c3d006caaa1b

90639d6dd861e4205323fb0171aad954

541700672beb977cf9294329d2ff3aca1de9b71dff33da97947ba75e479ac89a

c17c9d18b0d2c390d317f22078714e38

36472a674c751c65c15cbaab276c0fba8f3f1709750473b24e5d3c21e468617f

defdfbf6ade26851b2f20b34614ad872

b3ed4d7e835c2c716c2881bf651830c5ab07d3f8d8ef8fedd1aaee388df8ef20

9d4f149dc213d5cbbc6065c6c39f978c

db8ee4755c2b30756abb68e14e30b7c10d283b2f989fc7f3556f92389a2c32b9

5d458bd72860af93a84d85b80aef6670

0e5240bf70e304781511de29a000c308f675d6209735c118cd0054b519eaa096

f12ce0b9a92aabf66f1c11c22283d3b5

6451b45a4f8bdccdbce6bcd14e5fda1f976c81efed2c4dfd028386cce31250d1

de9581456a2d57eb7c09a6072eeb5fb8

8f39ca0e992e24ec42f350d367411eff7d305bdcf92fecc2c6c7e37ca75482e3

b2e338cab2e0155750a5c491ca62d2a5

e7ac0da251791d465f686c4850b08268b6a14551d527778b67deef892e4189be

63cc417b691b6bc61c71a07ee76fe225

0a9d2de312276f0715ea83acec23fae80e5e1d092d16c9c027ee395f42e493b9

f5c81c4e3cc8715168275f82fdcb0989

9f437dbe9424c4b0abafe2a36ac11886825416f0d73f5dead6827bb9758b0b03

9c4c3234f20b6102569216675b48c70a

568d1cf50ac97c983b0ae9d2741a2c1454e7219829ad78b0e8de67f4312b90ea

dc412d59bbf9e8393326141a3be9b4ea

f0b670afe4781d3e8899bf742fbd613636424681f56c4388168acea84ea344af

fdd83406d69a197c0ad6521910b77ad7

4e234cb490bff26e983402030b962c57ead1322ff89e7d3b7ae0bd99a761dec1

ceef2e90d521487fdc58e61581421f63

1d56847919aee8bb3704a92d84815b9a647a5d0a91fc3bb1c628d26f08403d05

b5fcbd4e08b6abc7a809926c0e29f1f7

4beb23fc4c465615a586ead44cd75ca69c4f7910ba944aa6eed492ced2cf108b

624320b15af74da84a68d477343457ea

de0e7aae207f7a7a1f242d849bb61c7f4e98d84f74b228439d296e6a46b2f812

96f1f0f17af9d28223193501e5b5080f

95ba94c85978f9eb8c739555873bd968c0698643d8b9c66ccb1c5f74aeb117e6

63cbfc8979b6a615ff49b2b32054ac29

f13e2c5ae7e3f949a575856fb0b5d285eae746c7b77cf6272a6e11e99fcec9e6

90f93a037983ecfbd69c6706931dc530

31e3fc47f0846cce98cedf0a6a8c1a8224b3350c26254982cc9786ec5c9982bc

e23f2ebf0d6a32b7d061b04fefd831a3

5edbc08d4e919f7186aa2b8a6e3d49ef38035c2a55b6e226910fcc60fe26a335

d7892fc04746c37c5f071d579a53f64a

17adb683d2e8d92f90e8a7e960226a48f423e42c430bf7e789a5c513600b829b

40ec69f708039c62fef9d95ee3dd932d

740afb846553e31f52a471ef6639ad9ddf50419117fc476a6e08ffb333e4263f

653b7cbe1836e1bdb9d15a0cd8622a55

d067d2a0fedb191743c460c5ced2fe38db98c862277bf2aa2b2496fa6451ba00

5f4cca2cad48595d3300d9f2fce4d3d8

4111dc9ca29508aa89caf873ac9359ad579270c3b3025ab0ba8098dea9c3c459

32145e319daeeeb492206b8fd0c6496c

eeea7ade7992a1c46aff3308962ec566495e053a985333d7ec3475ab17636aa4

e0ebcdd2f7274c1d5737c21de737c44f

6250f069e1268801cb3afaee2523df1aca628fa791a666f1d05b6cb981913461

ae119fa64e6cf0f4ecb67590f4ecbd30

65c27af1b2d7118e7f223859d32076df36b264a964b4e65c46f35cce9c27cb77

f1bfe88651e17a28cab395c0eddf9b1d

b56da6b04390ed223ee965e81057dc8466a3dd14fbf8a6c70c8a7d22b118bd58

b28779d21143c1a2b08887d13c0d09a6

127b8da1e1b2cdf5f8352809e260ec9070482d230934cd76b4b9909ee0e037ad

9839b1e73c13d6ecba0b8368e8916fa1

f9da08311c6fadb621f62fe8a592235c04a16a4536f5f386ef8b63fccf38cf76

c2ad9bdd89be2719d7fb7d9f77ee9ee7

f8913513ec19ea386cb812e5e7249d44a4e4a3092fbfcea23fce692d7ed88970

edf5c8732b787f30206fa669c136da3d

a1359a95b89369f07a27e74f9532a65a79d242d8b84cfd18104112f7c133bd7a

3659c8b26c8bf4b9feefbfc100bd9656

4b495c54056aa68e91fd481168a7ddc5d5a6cae713ab359777340f1ba901ae65

50143541f552cb4057f0ab2dc885823c

11e7978f2e8fef554d1dfc9fba452630734dfc77c48a596be6d36139d64f3067

598954bb723aad1a23bade6467fee851

2ddc0b89779e513693008821c17ad8c86a10a4ab537196e91c5e8d67cfbbb0be

267bd9b15674d66e6daddb172036a6ff

fd6421cf7d074afbec324121a786c2e1f245446006bb6b7ce4908a76cb25768a

 

Related Dropper Variant Extracted C2 IOCs

 

Network Indicators

http://addressbd.com/DAjKqdmCH/

http://janssen-st.de/yBwgMWYA/

http://agiconstrucciones.com.ar/hSXtmLuua/

http://juanmalopez.com/oaXnCg/

http://aistra.lt/lTexwuBi/

http://laguapafilms.com/BVgUGBfots/

http://aldispc.com/VvhxJwXT/

http://lastcallsocial.com/IJKNugmMWy/

http://andy-morley.co.uk/oRdxFDKn/

http://ludujem.com/IXCKoJdH/

http://annaboyar.com/HbgXj/

http://lunarice.com/PUdojNc/

http://aobauer.com/OXaEq/

http://mechametropolis.co.uk/WQNge/

http://ardweb.pt/VWKngh/

http://missbonniejane.com/H/

http://artistvisa.com/zzEhT/

http://nagel-web.com/OpFpaglan/

http://bobwalden.com/IoxLPT/

http://natech.com.br/wVZtWN/

http://briandeweese.org/MnCUwDwzw/

http://nemesismedia.co.uk/hwPuncYC/

http://callumaumusic.com/doMzwrAj/

http://net5.com.au/WZwgR/

http://canadary.com/roqoMi/

http://norambuena.cl/snmSXGEB/

http://czarny-las.pl/nowa/vUcTmwA/

http://nubodyofdallas.com/FwJSgvPKF/

http://datagroup.com.uy/lLcJnNv/

http://ohleronline.com/qnhvqLeGds/

http://daze.com.hk/yaeRXq/

http://okiembociana.pl/ihCgGO/

http://designcrack.com/KsvLPNBG/

http://omnisrecordings.com/HZKybTQwj/

http://dgnet.com.br/VwePisQl/

http://portseven.com.br/AEVHV/

http://dianahossack.com/emuCIhTNCx/

http://psenka.com/cWVxNlnJAR/

http://ditya.web.id/pMaWn/

http://ptmedia.com.au/RDxXqI/

http://dixiesquid.com/MooOvjBSnF/

http://qdecisions.com/Lrwjz/

http://dunworth.com/vEgbzlAiD/

http://riversideresearch.org/gHMyCA/

http://duyvendak.com/ndxz-studio/config/lOxCyysHH/

http://sepp-event.de/vZgsIP/

http://edias.com.br/mdQmpYeQxT/

http://sergiopoli.com.ar/zCCXcx/

http://effectiveit.com.au/rANNP/

http://shaniss.com/pub/cfGyQLtJMI/

http://effectiveit.com.au/zrMGInVT/

http://silvermoon.com.au/DCtPUxQNk/

http://era.lt/wUGfcJn/

http://store503.com/wCziCc/

http://ericalaurell.se/mUeQsM/

http://trevorcameron.com/LSnmkxT/

http://erikploeg.nl/KS/

http://twopianists.com/cebsr/

http://forteboys.com.br/QcLQsCv/

http://twopianists.com/hsEuPAth/

http://frusti.de/GPBvCIEjnL/

http://vereb.com/SOghVS/

http://funkystudio.org/lEYJk/

http://vitainrete.it/ZjMXmKuK/

http://futbolaragones.com/BYYWNWZ/

http://wernerbernheim.com.uy/capacitacion/bMLTBrcIE/

http://globalmatrixmarketing.com/HXApJj/

http://westernware.net/pUBZVVGhYW/

http://goldenerabooks.com/oILyijnb/

http://wilsondesign.com.au/EmOYzciXN/

http://hocompro.com/JlTszW/

https://twilson.net/xMFnJOyP/

http://iaddicshelters.com/iZJxMk/

 

 

Related Second Stage IOCs

 

MD5

SHA256

01cc8ddbee4913732a2123181a53b30d

e3677827022d9ce83c11a47a57c8414a01b2e2641290493c5679fe3b65193813

0fb4f429661684fa580de4e35acc9c8b

7ddd422e1f35d92e98a52f96c9332a46458643252ce4dc0373d92bce43ed6328

156727ee7cfa8bb40f8b43bc45c7ffba

a4e37b828e0b0d7be329ed2343cb20f320605a72c2f44e71164eb57cc6a28571

298676c90fc1a0bfec7b1d15cc2d573e

6ce034043481e293887dbce5c9ba6e3d1631bbf63f98e826ad17b7b0ee59f8b5

3364f1c4bbe9db7605906dd4e9fb280a

1f4739972cc36ecd1ef54473b0e8b48a36dd598d569ff3d8eab704aecebf6e89

596f9e56c4f88abf4fb75b7df6e28357

b18a6b8060e576cc3025ba641fde6a3eeb642d75c9179ed08dfe8fdea87d7d02

5cb24a60004ea5cfd86c130a4bec2486

d031099bf203576fa7878c746b215fbd86f046a31059d239e56ce7bf2e96c08c

6b35f952fd721d685e2a193a51eb9ea6

cb1425aea8403d5e013fb29ca7cd97adcb030263f8e871ba2d76a31f4cc0c7b3

81b99d33a9ae1f3ab3b4effbe75825bd

7fb4732508815aa3649a4cb099e1e61c99191a59363877035528f56f3fd83125

91ed2bd699d4744f6383723d9eec30bc

70f9a9e8630541b8595c16205e1b83cd77309bb90c372e2c7096fab47a315275

a1cbedab120ff56850b4c6ddbf041a46

aea976ba135dc0f2d3146f2ec7b4abe130d158df69c37b53ac2fd136d98667f3

b2a0aed9da24069103e049b111d52374

e936b5bed6e08e81457eb0392247087dfc19a1371d3c4a2b79e730d70646bd2c

b94f9bd8f42e563eb286115ea2ce41b5

a02ef16a90f5802de34ab9314bc84bd87a5cf059219ae3a5074c3b3901f6ea14

b97b9550cf7d8e7d0dca73c24b93adee

89995824f9dab96deefc90308cee888ff8937e6591dea04b358290b4ac026c70

eab58be633f14973c4fb785da2f72330

57569e16af6537cddbecdafd362e8c56f4685e11fdf771ab9558407d41ce31f0

 

TAGS: Carbon Black / Emotet Trojan / threat research

Related Posts