-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy path2023-03-16-IOCs-for-Emotet-E5-activity.txt
153 lines (119 loc) · 6.03 KB
/
2023-03-16-IOCs-for-Emotet-E5-activity.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
2023-03-16 (THURSDAY) - EPOCH 5 ACTIVITY: EMOTET NOW ALSO USING ONENOTE FILES
REFERENCE:
- https://twitter.com/Unit42_Intel/status/1636739251277647874
NOTES:
- As early as Wednesday 2023-03-15 at 21:21 UTC, Emotet's epoch 5 botnet began using OneNote files in its malspam.
- Since the OneNote files appeared, some malspam still uses zip attachments containing inflated Word documents.
- Since the OneNote files appeared, follow-up Emotet DLL files are no longer inflated.
- Emotet DLL files are now well-under 1 MB, whether called by script from OneNote files or called by Word macros.
- An infected Windows lab host generated spambot activity on 2023-03-16 starting at approximately 15:28 UTC.
- The following are date/time and attachment type from 10 examples sent by the epoch 5 botnet:
-- 2023-03-15 21:21 UTC - OneNote attachment
-- 2023-03-16 03:09 UTC - OneNote attachment
-- 2023-03-16 03:16 UTC - OneNote attachment
-- 2023-03-16 03:18 UTC - OneNote attachment
-- 2023-03-16 06:54 UTC - OneNote attachment
-- 2023-03-16 10:40 UTC - zip attachment
-- 2023-03-16 10:41 UTC - zip attachment
-- 2023-03-16 15:33 UTC - OneNote attachment
-- 2023-03-16 18:24 UTC - zip attachment
-- 2023-03-16 20:08 UTC - zip attachment
DETAILS FOLLOW:
ZIP ARCHIVE FILE SIZES FROM 4 SAMPLES:
- 760,416 bytes - DATA 669635.zip
- 752,279 bytes - Data-16032023.zip
- 774,665 bytes - list-896881.zip
- 758,393 bytes - list_56062576009.zip
ZIP ARCHIVE SHA256 HASHES:
- 341f723772e0975ad98df44453e4d950a0e0a235979886edac27cf1ea43b89c4 DATA 669635.zip
- d628e2677183ff1576207410f0a11b2391d619c31291dd937e0cd6498bca64fa Data-16032023.zip
- fa413a95667abe33091b03b160aae83636b6ed3a97694e05861c1526943a551e list-896881.zip
- 12166599ae7ef34b66e729c21cdefc44cff5d5e2e12a2918c4705505f104329d list_56062576009.zip
EXTRACTED DOC FILE SIZES:
- 558,271,488 bytes - DATA 669635.doc
- 549,882,880 bytes - Data-16032023.doc
- 572,951,552 bytes - list-896881.doc
- 556,174,336 bytes - list_56062576009.doc
EXTRACTED DOC SHA256 HASHES:
- e910711f1172d35fffbd46bb33026df9e563b978e47fcb0fa910fa1df93e96da DATA 669635.doc
- f8d2147adc0c6218797343784493a1252a49d28e4f73f4c38df527a4b69240c4 Data-16032023.doc
- e6e06d8eeddfdb0d2785232274f2548e4a8699043818e1671a4bcdc9fc5cff02 list-896881.doc
- a60bc23b594f47710b80810a00a7e4022a84c20a967612d69c9b0f0f53b9b725 list_56062576009.doc
9 URLS GENERATED BY MACROS FROM THE ABOVE WORD DOCS:
- hxxp://7gallery[.]com/Tempur/vowpsy6ObSB7UMui/?024347&c=1
- hxxps://bosny[.]com/aspnet_client/LRYvI7/?024348&c=1
- hxxp://www.dcdestudio[.]com[.]ar/dcd/71ycoQSy/?024347&c=1
- hxxp://erkaradyator[.]com[.]tr/Areas/My5PdKnB/?024347&c=1
- hxxp://li-sa[.]jp/_phpMyAdmin/IWxxPYWM8AI53xYqO4/?024349&c=1
- hxxp://sipo[.]ru/images/UIbyj3q8881cJ/?024347&c=1
- hxxp://walkiria.5v[.]pl/wp-includes/ZWHV38j/?024347&c=1
- hxxp://webthaihosting[.]com/cgi-bin/wnDNU/?024347&c=1
- hxxp://www.snoek-landmeten[.]nl/Wordpress/Oh4CQgV/?024349&c=1
- Note: The 6-digits before &c=1 are randomly generated each time Word macros are enabled.
ONENOTE FILE SIZES FROM 6 SAMPLES:
- 134,140 bytes - Details-3922941.one
- 134,140 bytes - ECLL 16032023.one
- 134,140 bytes - List_1603.one
- 134,140 bytes - Scan_247.one
- 134,140 bytes - details_481978819.one
- 134,140 bytes - report 1219844918.one
ONENOTE SHA256 HASHES:
- f24259e65a935722c36ab36f6e4429a1d0f04c0ac3600e4286cc717acc5b03d7 Details-3922941.one
- 823cb940b33f1d14576de6ab9bf747b3a1632accb0104ba1bdbbb62ae5054f3c ECLL 16032023.one
- 2d2a9278a7ee9c29e8a09d31b217a3ae7e88f2ae48eb44e1a1a4a879653dd126 List_1603.one
- ecba257a646789c31d971efc233267495ac532109e92b064bac0c8e231a27a38 Scan_247.one
- 5d65ab3b6748ba7034dc0588f2d61fa43e7fce7ed5ee6ab533e2f08274bc5d22 details_481978819.one
- 7c4591fd03b73ba6d0ec71a3cf89a04bfb4bd240d359117d96834a83727bdcc2 report 1219844918.one
.WSF EMBEDDED IN EACH OF THE ABOVE .ONE FILES:
- SHA256 hash: af0c7d355bb6a495d038fd05217209054107d31aa6199c491b74ae3d24b11c7e
- File size: 63,088 bytes
- File name: click.wsf
- Example of saved file location: C:\Users\user1\AppData\Local\Temp\OneNote\16.0\Exported\{56D2BD78-EBDE-44C6-87B3-A47B99EFE0E4}\NT\0\click.wsf
- File description: Script file embedded in OneNote attachments (same SHA256 for all the above .one files)
12 URLS GENERATED BY THE ABOVE .WSF:
- hxxp://1it[.]fit/site_vp/4PwK3s6Bf9K7TEA/
- hxxps://4fly[.]su/search/OfGA/
- hxxp://efirma.sglwebs[.]com/img/2mmLuv7SxhhYFRVn/
- hxxp://hypernite.5v[.]pl/vendor/hvlVMsI9jGafBBTa/
- hxxps://kts[.]group/35ccbf2003/jKgk8/
- hxxp://malli[.]su/img/PXN5J/
- hxxps://olgaperezporro[.]com/js/ExGBiCZdkkw0GBAuHNZ/
- hxxp://semedacara.com[.]br/ava/ahhz/
- hxxp://staging-demo[.]com/public_html/wTG/
- hxxps://thailandcan[.]org/assets/ulRa/
- hxxp://uk-eurodom[.]com/bitrix/9HrzPY66D1F/
- hxxp://www.polarkh-crewing[.]com/aboutus/EUzMzX7yXpP/
EXAMPLE OF AN EMOTET DLL:
- SHA256 hash: aa57889a91be96c5b5cae185792f5ad76eb5248abb66344a740266a1c297cfd7
- File size: 307,712 bytes
- File location: hxxp://malli[.]su/img/PXN5J/
- Saved file location: same temp directory as above click.wsf file
- Saved file name: rad00A25.tmp.dll
- File description: 64-bit DLL for Emotet
- Run method: regsvr32.exe [filename]
- Note: File size and hash were different when downloaded from same URL at a later time.
SUCCESSFUL HTTPS TRAFFIC FOR EMOTET C2 ACTIVITY:
- 93.84.115.205 port 7080
- 94.23.45.86 port 4143 <-- sent approx 4 MB of data to infected host immediately before spambot activity
- 103.224.241.74 port 8080
- 115.178.55.22 port 80
- 116.125.120.88 port 443
- 128.199.93.156 port 8080
- 139.196.72.155 port 8080
- 165.22.246.219 port 8080
- 165.227.153.100 port 8080
- 165.227.211.222 port 8080
- 174.138.33.49 port 7080
- 177.39.156.177 port 443
- 178.62.112.199 port 8080
- 186.250.48.5 port 443
- 198.199.70.22 port 8080
CERTIFICATE ISSUER DATA FOR ALL EMOTET HTTPS C2 TRAFFIC:
- id-at-countryName=GB
- id-at-stateOrProvinceName=London
- id-at-localityName=London
- id-at-organizationaName=Global Security
- id-at-organizationalUnitName=IT Department
- id-at-commonName=example.com
SPAMBOT ACTIVITY:
- Various IP addresses over TCP ports 25, 465, and 587