API tools faq
paste
Advertisement
spamreports

emotet variant

spamreports
Nov 27th, 2019
291
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 13.20 KB | None | 0 0
raw download clone embed print report
  1. Target
  2. http://sociallysavvyseo.com/PinnacleDynamicServices/l0305/
  3.  
  4. Filesize
  5. N/A
  6.  
  7. Completed
  8. 2019-11-28 07:26
  9.  
  10. Score
  11. 10
  12. /10
  13. MD5
  14. N/A
  15.  
  16. SHA1
  17. N/A
  18.  
  19. SHA256
  20. N/A
  21.  
  22. emotet trojan banker family
  23. Extracted
  24. Family
  25. emotet
  26. rsa_pubkey.plain
  27. -----BEGIN PUBLIC KEY-----
  28. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOmlscqbEIhLjVsj9r3eYacKi6C+Qrua
  29. j5TlU+pn3zc0k06qCoahFXBBGnYMotHQc6OwfBKwHWm831LIVg29kEjT8UYxnN5v
  30. fzNGgqXTe25QARf78CsQqqN/ImKdXo+GFwIDAQAB
  31. -----END PUBLIC KEY-----
  32. C2
  33. 104.236.137.72:8080
  34.  
  35. 104.236.137.72:8080
  36. 172.104.233.225:8080
  37.  
  38. 172.104.233.225:8080
  39. 213.189.36.51:8080
  40.  
  41. 213.189.36.51:8080
  42. 85.234.143.94:8080
  43.  
  44. 85.234.143.94:8080
  45. 119.59.124.163:8080
  46.  
  47. 119.59.124.163:8080
  48. 190.146.131.105:8080
  49.  
  50. 190.146.131.105:8080
  51. 186.23.132.93:990
  52.  
  53. 186.23.132.93:990
  54. 200.113.106.18:80
  55.  
  56. 200.113.106.18:80
  57. 163.172.40.218:7080
  58.  
  59. 163.172.40.218:7080
  60. 187.190.49.92:443
  61.  
  62. 187.190.49.92:443
  63. 201.190.133.235:8080
  64.  
  65. 201.190.133.235:8080
  66. 46.28.111.142:7080
  67.  
  68. 46.28.111.142:7080
  69. 104.131.58.132:8080
  70.  
  71. 104.131.58.132:8080
  72. 14.160.93.230:80
  73.  
  74. 14.160.93.230:80
  75. 201.163.74.202:443
  76.  
  77. 201.163.74.202:443
  78. 200.124.225.32:80
  79.  
  80. 200.124.225.32:80
  81. 203.130.0.69:80
  82.  
  83. 203.130.0.69:80
  84. 181.36.42.205:443
  85.  
  86. 181.36.42.205:443
  87. 182.48.194.6:8090
  88.  
  89. 182.48.194.6:8090
  90. 87.106.77.40:7080
  91.  
  92. 87.106.77.40:7080
  93. 190.97.30.167:990
  94.  
  95. 190.97.30.167:990
  96. 91.83.93.124:7080
  97.  
  98. 91.83.93.124:7080
  99. 190.195.129.227:8090
  100.  
  101. 190.195.129.227:8090
  102. 50.28.51.143:8080
  103.  
  104. 50.28.51.143:8080
  105. 189.173.113.67:443
  106.  
  107. 189.173.113.67:443
  108. 181.231.62.54:80
  109.  
  110. 181.231.62.54:80
  111. 109.169.86.13:8080
  112.  
  113. 109.169.86.13:8080
  114. 86.42.166.147:80
  115.  
  116. 86.42.166.147:80
  117. 200.113.106.18:80
  118.  
  119. 200.113.106.18:80
  120. 186.0.68.43:8443
  121.  
  122. 186.0.68.43:8443
  123. 183.82.97.25:80
  124.  
  125. 183.82.97.25:80
  126. 96.20.84.254:7080
  127.  
  128. 96.20.84.254:7080
  129. 159.203.204.126:8080
  130.  
  131. 159.203.204.126:8080
  132. 68.183.190.199:8080
  133.  
  134. 68.183.190.199:8080
  135. 201.213.32.59:80
  136.  
  137. 201.213.32.59:80
  138. 46.101.212.195:8080
  139.  
  140. 46.101.212.195:8080
  141. 186.15.83.52:8080
  142.  
  143. 186.15.83.52:8080
  144. 181.198.203.45:443
  145.  
  146. 181.198.203.45:443
  147. 62.75.143.100:7080
  148.  
  149. 62.75.143.100:7080
  150. 69.163.33.84:8080
  151.  
  152. 69.163.33.84:8080
  153. 149.62.173.247:8080
  154.  
  155. 149.62.173.247:8080
  156. 88.250.223.190:8080
  157.  
  158. 88.250.223.190:8080
  159. 125.99.61.162:7080
  160.  
  161. 125.99.61.162:7080
  162. 190.186.164.23:80
  163.  
  164. 190.186.164.23:80
  165. 181.135.153.203:443
  166.  
  167. 181.135.153.203:443
  168. 178.79.163.131:8080
  169.  
  170. 178.79.163.131:8080
  171. 142.93.114.137:8080
  172.  
  173. 142.93.114.137:8080
  174. 154.120.227.206:8080
  175.  
  176. 154.120.227.206:8080
  177. 181.61.143.177:80
  178.  
  179. 181.61.143.177:80
  180. 190.16.101.10:80
  181.  
  182. 190.16.101.10:80
  183. 142.127.57.63:8080
  184.  
  185. 142.127.57.63:8080
  186. 138.68.106.4:7080
  187.  
  188. 138.68.106.4:7080
  189. 68.183.170.114:8080
  190.  
  191. 68.183.170.114:8080
  192. 134.209.214.126:8080
  193.  
  194. 134.209.214.126:8080
  195. 185.86.148.222:8080
  196.  
  197. 185.86.148.222:8080
  198. 186.68.48.204:443
  199.  
  200. 186.68.48.204:443
  201. 190.102.226.91:80
  202.  
  203. 190.102.226.91:80
  204. 191.103.76.34:443
  205.  
  206. 191.103.76.34:443
  207. 91.204.163.19:8090
  208.  
  209. 91.204.163.19:8090
  210. 190.210.184.138:995
  211.  
  212. 190.210.184.138:995
  213. 200.123.101.90:80
  214.  
  215. 200.123.101.90:80
  216. 190.38.14.52:80
  217.  
  218. 190.38.14.52:80
  219. 45.79.95.107:443
  220.  
  221. 45.79.95.107:443
  222. 5.196.35.138:7080
  223.  
  224. 5.196.35.138:7080
  225. 86.142.102.191:8443
  226.  
  227. 86.142.102.191:8443
  228. 200.58.83.179:80
  229.  
  230. 200.58.83.179:80
  231. 80.85.87.122:8080
  232.  
  233. 80.85.87.122:8080
  234. 190.4.50.26:80
  235.  
  236. 190.4.50.26:80
  237. 203.25.159.3:8080
  238.  
  239. 203.25.159.3:8080
  240. 212.71.237.140:8080
  241.  
  242. 212.71.237.140:8080
  243. 217.199.160.224:8080
  244.  
  245. 217.199.160.224:8080
  246. 187.230.99.192:443
  247.  
  248. 187.230.99.192:443
  249. 81.213.215.216:50000
  250.  
  251. 81.213.215.216:50000
  252. 87.118.70.69:8080
  253.  
  254. 87.118.70.69:8080
  255. 186.1.41.111:443
  256.  
  257. 186.1.41.111:443
  258. 77.55.211.77:8080
  259.  
  260. 77.55.211.77:8080
  261. 139.5.237.27:443
  262.  
  263. 139.5.237.27:443
  264. 62.75.160.178:8080
  265.  
  266. 62.75.160.178:8080
  267. 51.255.165.160:8080
  268.  
  269. 51.255.165.160:8080
  270. 207.154.204.40:8080
  271.  
  272. 207.154.204.40:8080
  273. 82.196.15.205:8080
  274.  
  275. 82.196.15.205:8080
  276. 190.17.42.79:80
  277.  
  278. 190.17.42.79:80
  279. 91.205.215.57:7080
  280.  
  281. 91.205.215.57:7080
  282. Defense Evasion
  283.  
  284. Discovery
  285. Emotet Sync
  286. 5m15va2u.exe
  287. Reported IOC
  288. 5m15va2u.exe
  289. Global\E64D5799F Event created
  290. emotet family
  291. Executes dropped EXE
  292. 5m15va2u.exe
  293. 5m15va2u.exe
  294. publishrun.exe
  295. publishrun.exe
  296. Drops file in system dir
  297. 5m15va2u.exe
  298. publishrun.exe
  299. BITS
  300. Reported IOC
  301. 5m15va2u.exe
  302. C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\89TS8EPW\5m15va2u.exe => C:\Windows\SysWOW64\publishrun.exe File renamed
  303. Reported IOC
  304. publishrun.exe
  305. C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat File opened for modification
  306. C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 File opened for modification
  307. C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE File opened for modification
  308. C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies File opened for modification
  309. C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 File opened for modification
  310. Reported IOC
  311. BITS
  312. C:\Windows\Debug\ESE.TXT File opened for modification
  313. C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp File opened for modification
  314. C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp File created
  315. C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp File opened for modification
  316. C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp File created
  317. Modifies Internet Explorer settings
  318. iexplore.exe
  319. IEXPLORE.EXE
  320. Matched TTPs
  321. Modify Registry
  322. Reported IOC
  323. iexplore.exe
  324. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" Set value (int)
  325. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A9481EFA-11A7-11EA-BD7F-7E4C806F89F5} = "0" Set value (int)
  326. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Set value (str)
  327. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" Set value (str)
  328. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 Set value (data)
  329. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" Set value (int)
  330. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 4c6bfe76f785d501 Set value (data)
  331. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" Set value (int)
  332. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\RepId\PublicId = "{DC68F301-9B19-460B-8764-4AEFEDC09458}" Set value (str)
  333. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2117655513" Set value (int)
  334. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30778804" Set value (int)
  335. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" Set value (int)
  336. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" Set value (int)
  337. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2117655513" Set value (int)
  338. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30778804" Set value (int)
  339. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" Set value (int)
  340. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c36c9cdac63c12448d84f1a7215689fa000000000200000000001066000000010000200000006081ca07a5e399d1b4e4b78dfbd4924e6d3507a060ec9b9f45e22bfdf50762dc000000000e80000000020000200000008c0bc621bea003c1202f1c75e982c82fa309e0da75c2076d196de75928ebf9dd20000000dad8b1beaea3d6c337b3ef560fbb50eeb0840c01fa9a0f045c0a4f7ef126a85e40000000f45a60ef2b1fa5479e5aea74af7689674c3821ba4c9ccf5afdcd49f741cf68f8087462c66412dc4487d3b382c86fbf6f2b9107ab31bc90aa8ea62aae44dab45e Set value (data)
  341. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a068a980b4a5d501 Set value (data)
  342. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c36c9cdac63c12448d84f1a7215689fa0000000002000000000010660000000100002000000036979b423d8c76e46a014084fb70004a8286ee8959cce924485e81541bfcf5e6000000000e80000000020000200000004bb33414b9c4300c196cbf64f191f3e9bbaf7998d7c23c1c26e260aee83e60b3200000004117ea07607b4ce213f050e3fb1f2c1e21cc394eb7e35dcdfc5e6541c25d26f74000000060d84076b49c61608e6f0daf54b79dab511cda20fc005e1543e2c9bb2909dcdd3d14793429a6cdb00bbfafa0f9369a808875e94c83d7a6519c20a2dcab3f3086 Set value (data)
  343. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60a7c380b4a5d501 Set value (data)
  344. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003c000000900300001c020000 Set value (data)
  345. Reported IOC
  346. IEXPLORE.EXE
  347. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2146718552" Set value (int)
  348. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30778804" Set value (int)
  349. Suspicious use of WriteProcessMemory
  350. iexplore.exe
  351. SppExtComObj.exe
  352. 5m15va2u.exe
  353. publishrun.exe
  354. Reported IOC
  355. iexplore.exe
  356. PID 4928 wrote to memory of 4980
  357. PID 4928 wrote to memory of 4536
  358. Reported IOC
  359. SppExtComObj.exe
  360. PID 64 wrote to memory of 2012
  361. Reported IOC
  362. 5m15va2u.exe
  363. PID 4536 wrote to memory of 4580
  364. Reported IOC
  365. publishrun.exe
  366. PID 4712 wrote to memory of 4680
  367. Uses Task Scheduler COM API
  368. iexplore.exe
  369. Matched TTPs
  370. Query Registry
  371. Reported IOC
  372. iexplore.exe
  373. \Registry\Machine\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Key opened
  374. \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} Key queried
  375. \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49} Key opened
  376. Suspicious behavior: EmotetMutantsSpam
  377. 5m15va2u.exe
  378. publishrun.exe
  379. Windows security modification
  380. wscsvc
  381. Matched TTPs
  382. Disabling Security Tools
  383. Modify Registry
  384. Reported IOC
  385. wscsvc
  386. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0" Set value (int)
  387. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1" Set value (int)
  388. Uses Volume Shadow Copy WMI provider
  389. iexplore.exe
  390. Reported IOC
  391. iexplore.exe
  392. \Registry\Machine\Software\Classes\CLSID\{890CB943-D715-401B-98B1-CF82DCF36D7C} Key opened
  393. \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{890CB943-D715-401B-98B1-CF82DCF36D7C} Key queried
  394. \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{890CB943-D715-401B-98B1-CF82DCF36D7C}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49} Key opened
  395. Uses Volume Shadow Copy Service COM API
  396. iexplore.exe
  397. Reported IOC
  398. iexplore.exe
  399. \Registry\Machine\Software\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623} Key opened
  400. \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623} Key queried
  401. \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49} Key opened
  402. Checks system information in the registry (likely anti-VM)
  403. DoSvc
  404. Matched TTPs
  405. Query Registry
  406. System Information Discovery
  407. Reported IOC
  408. DoSvc
  409. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer Key value queried
  410. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName Key value queried
  411. Suspicious use of SetWindowsHookEx
  412. iexplore.exe
  413. IEXPLORE.EXE
  414. 5m15va2u.exe
  415. 5m15va2u.exe
  416. publishrun.exe
  417. publishrun.exe
  418. Suspicious use of FindShellTrayWindow
  419. iexplore.exe
  420. Suspicious behavior: EnumeratesProcesses
  421. publishrun.exe
  422. C:\Program Files\Internet Explorer\iexplore.exe
  423. "C:\Program Files\Internet Explorer\iexplore.exe" http://sociallysavvyseo.com/PinnacleDynamicServices/l0305/
  424. PID: 4928
  425. C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\89TS8EPW\5m15va2u.exe
  426. "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\89TS8EPW\5m15va2u.exe"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!