Add files via upload

2022-02-07-IOCs-for-BazarLoader-with-Cobalt-Strike.txt

@@ -0,0 +1,54 @@
+2022-02-07 (MONDAY) - BAZARLOADER INFECTION WITH COBALT STRIKE
+
+REFERENCE:
+
+- https://twitter.com/Unit42_Intel/status/1491062537181609985
+
+INFECTION CHAIN:
+
+- email --> OneDrive link --> downloaded .iso file --> double-click (mount) .iso file --> double-click Windows shortcut --> BazarLoader infection --> Bazar C2 --> Cobalt Strike
+
+EXAMPLE OF ONEDRIVE LINK:
+
+- hxxp://1drv[.]ms/u/s!AoKLsbl6G4QIgQiYSBQ37JfA8_fl?e=ecg04E
+
+- NOTE: The above OneDrive link was taken down by Microsoft shortly after it was reported as malicious
+
+DOWNLOADED ISO FILE:
+
+- SHA256 hash: 0900b4eb02bdcaefd21df169d21794c8c70bfbc68b2f0612861fcabc82f28149
+- File size: 307,200 bytes
+- File name: docs_1309.iso
+
+CONTENTS OF ISO FILE:
+
+- SHA256 hash: 303be66bb8f026a9153b749eff2446fe5a0f9f75c52c49af84210187d257f2de
+- File size: 1,385 bytes
+- File name: Attachments.lnk
+- File type: MS Windows shortcut
+- Shortcut: C:\Windows\System32\rundll32.exe documents.log,vspa
+
+- SHA256 hash: 8a09d53d9663eda55e91e4803a5222be9b3b0c804173b6a918d13c35ad1d0134
+- File size: 253,440 bytes
+- File name: documents.log
+- File type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
+- Run method: rundll32.exe [filename],vspa
+
+BAZAR C2 TRAFFIC:
+
+- 5.182.207.28 port 443 - hxxps://5.182.207[.]28/data/service
+- 198.252.108.16 port 443 - hxxps://198.252.108[.]16/data/service
+- 80.71.158.142 port 443 - attempted TCP connections
+- 84.32.188.136 port 443 - hxxps://84.32.188[.]136/data/service
+
+COBALT STRIKE BINARY:
+
+- SHA256 hash: 12f7f6b7e1840a15e141abadf099efa435a608afb19176816f131f5172bd7cd2
+- File size: 98,712 bytes
+- File location: C:\Users\[username]\AppData\Local\Temp\BEB2.dll
+- File type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
+- Run method: regsvr32.exe [filename]
+
+COBALT STRIKE C2 TRAFFIC:
+
+- 23.82.141[.]117 port 443 ? zoroxeku[.]com - HTTPS traffic

2022-02-10-IOCs-for-Emotet-epoch5-infection-with-Cobalt-Strike.txt

@@ -0,0 +1,96 @@
+2022-02-10 (THURSDAY) - EMOTET EPOCH 5 INFECTION WITH COBALT STRIKE
+
+REFERENCE:
+
+- https://twitter.com/Unit42_Intel/status/1492160514109149193
+
+INFECTION CHAIN:
+
+- email --> password-protected zip attachment --> Excel file --> enable macros --> Emotet --> Cobalt Strike
+
+HEADER INFO FROM EPOCH 5 EMAIL DISTRIBUTING EMOTET:
+
+- Received: from mail.mailer-esb.com (unknown [147.139.201[.]229])
+- Date: Thu, 10 Feb 2022 10:07:45 +0800
+- From: "<[spoofed sender name]> [spoofed sender email address]" <[email protected]>
+- To: "[recipient's name]" <[recipient's email address]>
+- Subject: Fwd: [recipient's email address]
+
+PASSWORD-PROTECTED ZIP ARCHIVE ATTACHED TO EMAIL:
+
+- SHA256 hash: efe6b82a4471523df12673f47e318aae2e2c49ce096769638d172952c996f76f
+- File size: 83,477 bytes
+- File name: Data_57592.zip
+- File type: Zip archive data, at least v5.1 to extract
+- File description: password-protected zip archive attached to epoch 5 email
+- Password for zip archive: 980
+
+EXTRACTED EXCEL FILE WITH MALCIOUS MACRO CODE:
+
+- SHA256 hash: e73b86fc2b4e93f2808c6e634a4e513a551f42ecbd927f3507d83cd0c1e94ed4
+- File size: 141,312 bytes
+- File name: Data_57592.xls
+- File type: Composite Document File V2 Document, Little Endian, 
+Os: Windows, Version 6.2, Code page: 1251, Author: User, 
+Last Saved By: 1, Name of Creating Application: Microsoft Excel, 
+Create Time/Date: Wed Feb  9 09:48:26 2022, 
+Last Saved Time/Date: Wed Feb  9 16:14:48 2022, Security: 0
+
+BATCH AND VBS FILES DROPPED AFTER ENABLING MACROS FROM EXCEL FILE:
+
+- SHA256 hash: 9e9915a1e009b7a9283629e5a1a66604915030b445c1f266914955299563473e
+- File size: 3,751 bytes
+- File location: C:\ProgramData\bhnasleil.bat
+
+- SHA256 hash: 5c3d66e2d33dfb51c691010af5d0a87250aa475235b537a336c607ade93a881a
+- File size: 604 bytes
+- File location: C:\ProgramData\oue4hjld.vbs
+
+EMOTET DLL:
+
+- SHA256 hash: 0199a072fee39255eb3767466ed0d5ef857850abd391b9a697ef00ec36a71315
+- File size: 476,672 bytes
+- File location: hxxp://tempral[.]com/NATE_05_22_2009/BI710N4cQ6R3/
+- File location: C:\ProgramData\vxcjkfhd.dll
+- File location: C:\Users\[username]\AppData\Local\Meajrcbavloy\npuf.vya
+- File type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
+- Run method: rundll32.exe [filename],DllRegisterServer
+- Note: Seems like any string can be used for the entry point with rundll32.exe
+- Scheduled task: rundll32.exe [file path],PpNQIIzq
+
+COBALT STRIKE EXE:
+
+- SHA256 hash: 64239ecd16c558e4a927742071f6931878ab6d6ad08ab3a724257172060c31fe
+- File size: 101,376 bytes
+- File location: C:\Users\[username]\AppData\Local\Meajrcbavloy\yohyvbg.exe
+- File type: PE32+ executable (GUI) x86-64, for MS Windows
+
+URLS HOSTING EMOTET EPOCH 5 DLL:
+
+- hxxp://midnightsilvercrafters[.]com/store/wBjNOUw/
+- hxxp://tempral[.]com/NATE_05_22_2009/BI710N4cQ6R3/
+- hxxps://redington.karmatechmediaworks[.]com/wp-content/3JVuVx7QUM/
+- hxxps://uhc.karmatechmediaworks[.]com/wp-content/0EqfdeznntlOpaIP2Qv/
+- hxxps://servilogic[.]net/b/14hqrdyP0Z3WsbQib8/
+- hxxps://comezmuhendislik[.]com/ljfrmm/VTpHRFWoORAHnRQ3aQL/
+- hxxp://webmail.glemedical[.]com/wp-content/J1M2xxodH/
+- hxxp://toto.karmatechmediaworks[.]com/wp-content/i826vbcVgRJ/
+- hxxps://golfpia.karmatechmediaworks[.]com/wp-content/oEicpDnEkk/
+- hxxps://fortiuspharma[.]com/y6krss/EGm347cqj5/
+- hxxps://garyjharris[.]com/cgi-bin/0hH/
+- hxxps://vietnam.karmatechmediaworks[.]com/wp-content/PfSVQagusZy7AaMw/
+- hxxps://vinculinc.karmatechmediaworks[.]com/wp-content/VlcOPPwgidWlXDJNs6/
+
+EMOTET C2 TRAFFIC:
+
+- 198.199.126[.]144 port 443 - attempted TCP connection, no response from the server
+- 103.42.57[.]17 port 8080 - attempted TCP connection, no response from the server
+- 195.154.146[.]35 port 443 - attempted TCP connection, no response from the server
+- 104.131.62[.]48 port 8080 - attempted TCP connection, no response from the server
+
+- 116.124.128[.]206 port 8080 - HTTPS traffic
+- 180.250.21[.]2 port 443 - HTTPS traffic
+
+COBALT STRIKE TRAFFIC:
+
+- 172.93.201[.]64 port 443 - ledikexive[.]com - HTTPS traffic

2022-02-17-IOCs-for-Bazil-targeted-malware-infection.txt

@@ -0,0 +1,61 @@
+2022-02-17 (THURSDAY) - WINDOWS INFECTION ACTIVITY FROM BRAZIL-TARGETED MALSPAM
+
+REFERENCE:
+
+- https://twitter.com/Unit42_Intel/status/1496172957726560257
+
+EMAIL HEADERS:
+
+Received: from thiag77940[.]vds (mail01.nota-comercio.com [195.28.183[.]90])
+	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
+	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
+	(No client certificate requested)
+	by [recipient's mail server] (Postfix) with ESMTPS id 4JzGT109qhz3wZQ
+	for <[recipient's email address]>; Wed, 16 Feb 2022 11:49:03 +0000 (UTC)
+Received: by thiag77940[.]vds (Postfix, from userid 0)
+	id 9A0DC7EA80; Wed, 16 Feb 2022 11:48:38 +0000 (UTC)
+Subject: Arquivo NF-e - Pedido N (46512154)
+From: [email protected]
+Message-Id: <20220216114838.9A0DC7EA80@thiag77940[.]vds>
+Date: Wed, 16 Feb 2022 11:48:38 +0000 (UTC)
+
+LINK FROM THE EMAIL:
+
+- hxxp://nfe5.doomdns[.]org/
+
+TRAFFIC FROM AN INFECTED WINDOWS HOST:
+
+- 20.77.245[.]61 port 80 - nfe5.doomdns[.]org - GET /
+- 20.77.245[.]61 port 80 - download2.go.dyndns[.]org - GET /5E%2028%205B%205E_5E128%205B%205E_5E%2028%205B%205E_5E128%205B%205E_5E%2028%205B%205E_5E128%205B%205E_/
+- 20.77.245[.]61 port 80 - nfe6.dyndns[.]ws - GET /Nota.zip
+- 52.161.99[.]171 port 80 - plugtree.duckdns[.]org - GET /libwinpthread-1.css
+- 20.77.245[.]61 port 80 - clientes.is-saved[.]org - POST /clientes/postUP.php
+
+ASSOCIATED MALWARE:
+
+- SHA256 hash: eb5a367f80ee1dd72a5b7ae184dddf6d4b72f2799f0ff8f221b8a79728734264
+- File size: 2,699,362 bytes
+- File location: hxxp://nfe6.dyndns[.]ws/Nota.zip
+- File description: Zip archive downloaded after clicking link in email
+
+- SHA256 hash: 5b84585b8335d7f30f3891ab75d55c9caf67c40499a2297f01ade237d29f012c
+- File size: 2,862,080 bytes
+- File name: GHDJ-87678A-1A.msi
+- File description: MSI file extracted from above zip archive
+
+- SHA256 hash: d76dda172fd4cb6abf1edd258c34bc05eb457a13ecb1e4beeea1fbf7e74ddcf3
+- File size: 18,900,737 bytes
+- File location: hxxp://plugtree.duckdns[.]org/libwinpthread-1.css
+- File description: Zip archive retrieved by above MSI file
+- Note: This zip archive contains files used to run the Pidgin chat client for Windows, along with a malicious DLL run by pidgin.exe
+
+- SHA256 hash: 32e13b3fcf43c37184b5b5eaca2a32ba24342260dea8514b19187f20cc417514
+- File size: 809,772,783 bytes
+- File name: libpurple.dll
+- File description: malicious 32-bit DLL run by pidgin.exe
+
+Note: The above DLL is padded with null bytes at the end of the file. At nearly 810 MB, this malware is too large to submit to Virus Total or other online analysis tools. A carved version with most of the null bytes removed is listed below.
+
+- SHA256 hash: e1ddfe00dd1ada634b965c9e444cbd52fa02770d7dd1c3c31949b5e52fff4049
+- File size: 12,134,400 bytes
+- File description: The above libpurple.dll file with most of the null bytes at the end of the file removed

2022-02-22-IOCs-for-Emotet-epoch4-activity.txt

@@ -0,0 +1,61 @@
+2022-02-22 (TUESDAY) - EMOTET EPOCH 4 INDICATORS
+
+REFERENCE:
+
+- https://twitter.com/Unit42_Intel/status/1496623426538291200
+
+NOTE:
+
+- This is a small set of indicators for Emotet epoch 4 activity on 2022-02-22
+
+SHA256 HASHES FROM 2 EXAMPLES OF PASSWORD-PROTECTED ZIP ATTACHMENT AND EXTRACTED EXCEL FILES: 
+
+- NOTE: zip password: 4vahobk5lzs
+- 2393aa0a0424086dc266fd5b5370f1f7a365f5c70ae33334a4d760cd084e19de  2022-22-02_1239.zip
+- 0ccfb233a6d245f9f626e6f2e320497c44870d23ac070821490de5495ad5978a  2022-22-02_1239.xls
+- 3689034e54b8e8cd72b779daf8e35765f495e46ca0107affd702e1ec731a576b  2022-22-02_1617.zip
+- dfcb4b56f39a4578d47734699e8d24036bee228940fe3f2db3f7ec6876b4fd9e  2022-22-02_1617.xls
+
+SHA256 HASHES FROM 12 EXAMPLES OF ATTACHED EXCEL FILES:
+
+- 258ef1257f5d2f90eeb7b0e1a948e08bfc0e25cc014f86e05df02a344c5eabdf  Barker Cabinets.xls
+- 2b87f525b90d47410cb6240f949140ff81d39b467ebe675bffaf2f0b360a16a7  Payment.xls
+- 36ea088ffc747d149aab4ddf89182ce618edb7754b8643e4d9ae69dbabd759c8  ACH Payment info.xls
+- 3dac3ccac97fe026839c988180072987c7fe20d4eacdf76868564480879c2f72  Global Information Technology Inc.xls
+- 52c27e74e1d7a494cda92876fe33c1e397dbc53cf9e5657e4590a9af77f57f3b  1008397229627355965.xls
+- 5813667c73a3ec74cb979c55c19102e819f659bc97d24fa4888b2612c982fff3  HHC774705930DP.xls
+- 69b8ed3cdc49ffc2638df7d3c12e53fc553f12cca769fdc2030ec8f739e3cdc8  PO 02222022.xls
+- 6bf75d05768e1c4417ffa6a98a7154041992b9888e3252983bb6d796a7fb4deb  comments_208697167.xls
+- ba07555c7cb0e846bb693ac3d391b47cad49443bae7dfae2e43e65d70c6eb2d0  OVW-010222 IVLY-220222.xls
+- c9332bc46897abfface9a0a4400475c552c970a180176d2b8e5a18b1635594f1  PA-2241 report.xls
+- d33426fc6cd7365ed49d0c847600e1a73be2630c033601260c63bc4b4aeeeac5  Scott Murdock Trailer Sales.xls
+- f67e201abcb2128d7df61e93171e5a9072a29601047a727acd37b392afda790a  B and C Body Company.xls
+
+SHA256 HASH FOR C:\PROGRAMDATA\BBIWJDF.VBS DROPPED AFTER ENABLING EXCEL MACRO:
+
+- 31cb0d7a224f16ec4e998140c4efde8ef752295b8a88080915f0bb2b49034bee
+
+ABOVE VBS USES THE FOLLOWING URLS TO RETRIEVE AN EMOTET DLL:
+
+- hxxp://wearsweetbomb[.]com/wp-content/15zZybP1EXttxDK4JH/
+- hxxps://1566xueshe[.]com/wp-includes/z92ZVqHH8/
+- hxxp://mymicrogreen.mightcode[.]com/Fox-C/NWssAbNOJDxhs/
+- hxxp://o2omart.co[.]in/infructuose/m4mgt2MeU/
+- hxxp://mtc.joburg.org[.]za/-/GBGJeFxXWlNbABv2/
+- hxxp://www.ama[.]cu/jpr/VVP/
+- hxxp://actividades.laforetlanguages[.]com/wp-admin/dU8Ds/
+- hxxps://dwwmaster[.]com/wp-content/1sR2HfFxQnkWuu/
+- hxxps://edu-media[.]cn/wp-admin/0JAE/
+- hxxps://iacademygroup[.]cl/office/G42LJPLkl/
+- hxxps://znzhou[.]top/mode/0Qb/
+
+SHA256 HASH FOR AN EMOTET DLL AT C:\PROGRAMDATA\OIPHILFJ.DLL:
+
+- b4b5d17481e99f072a5b7c568248579611b91bfc7e6c893ab2a4fd74f2b48414
+
+EMOTET C2 FROM AN INFECTED WINDOWS HOST:
+
+- 134.209.156[.]68:443
+- 144.217.88[.]125:443
+- 156.67.219[.]84:7080
+- 175.107.196[.]192:80

2022-02-22-IOCs-for-Emotet-epoch5-activity.txt

@@ -0,0 +1,50 @@
+2022-02-22 (TUESDAY) - EMOTET EPOCH 5 INDICATORS
+
+REFERENCE:
+
+- https://twitter.com/Unit42_Intel/status/1496623426538291200
+
+NOTE:
+
+- This is a small set of indicators for Emotet epoch 5 activity on 2022-02-22
+
+SHA256 HASHES FROM 5 EXAMPLES OF ATTACHED EXCEL FILES:
+
+- 296694bd1aed4a2e6d1ba06859e978a869dac37d3a7d1d7a1b3ed1f44cbd1979  97-22022022.xls
+- 5bb4f8da9b1de0a2472b752b640c418f851756002b739dc78d1459f04d9af600  Data 4.xls
+- 5bcf051f92d382bee159d249ab6551fcfa4c41573aca4e28ef275694820b6370  479DA-2778.xls
+- 6bf75d05768e1c4417ffa6a98a7154041992b9888e3252983bb6d796a7fb4deb  comments_208697167.xls
+- ecdf22c55102caa1405093b2fb7fdd178f233c39fdd750a123dd1409919ba695  Untitled-0438531018.xls
+
+SHA256 HASH FOR C:\PROGRAMDATA\BBIWJDF.VBS DROPPED AFTER ENABLING EXCEL MACRO:
+
+- 555c1a3f0d1ff08f3a45c7558ded360c36b86541eae3ba84eb6b5aaba0c4c661
+
+ABOVE VBS USES THE FOLLOWING URLS TO RETRIEVE AN EMOTET DLL:
+
+- hxxp://boardingschoolsoftware[.]com/backup/VC7WK/
+- hxxp://towardsun[.]net/admin/O29Fja/
+- hxxp://47.244.189[.]73/well-known/cwxgmEZsYIT/
+- hxxp://centrobilinguelospinos[.]com/wp-admin/AivCY/
+- hxxp://qqziyuanwang[.]com/wp-includes/KtXrm5GwJ/
+- hxxps://www.swaong[.]com/b/SVSAPzeDU657xJdmJv/
+- hxxps://trasix[.]com/wp-admin/FzpdyUrlGt/
+- hxxps://marineboyrecords[.]com/font-awesome/t37LOj/
+- hxxps://edgetactical.ritabilisim[.]com/admin/NbjDzEeNJ/
+- hxxp://cairm[.]xyz/backup_1/mQPAhJhpV/
+- hxxp://vrstar-park[.]com/wp-includes/0bAm9feNorwTmVrj/
+- hxxps://panaderialaimperial[.]com/wp-includes/Oi0guE0CQbyBJVg/
+
+SHA256 HASH FOR AN EMOTET DLL AT C:\PROGRAMDATA\OIPHILFJ.DLL:
+
+- a83c22f222be787c8c45ea6eb55b7f07c8c7cba6b5c8233b075bb2472a8f4acb
+
+EMOTET C2 FROM AN INFECTED WINDOWS HOST:
+
+- 27.254.174[.]84:8080
+- 43.229.206[.]214:8080
+- 59.148.253[.]194:443
+- 61.7.231[.]229:443
+- 142.93.76[.]76:7080
+- 168.197.250[.]14:80
+- 180.250.21[.]2:443