2022-01-09 First Round with Brim Using December’s Malware Traffic Exercise

It has been a long while since I have done any blogging. Since it has been a hot minute since I have done a post I thought that I would take this opportunity to learn something new and expand my tool-belt. So this first step back into the blogging world is going to be about a tool called Brim using the latest malware exercise from Brad found over at his site here and the SANS site here. So let’s start with what Brim is – a tool that helps visualize PCAP data in a different way with WAY faster indexing then Wireshark. It also uses it’s own query language called “Zed” while also using some of the same tools found from the *nix world. The interesting part is how it uses Zeek and it’s nomenclature/syntax as well. There is a great video covering the basics of Brim over on their Github page which you can find here: Brim YouTube.

So here is what the PCAP from the exercise looked like when first moving it into Brim.

Looking at this, it immediately reminded me of looking at Bro/Zeek raw logs since it is just a LOT of information all at one (aka: wall of text). Nice thing is that you can toggle the headers in the Brim app (I have it on auto to help save screen real-estate) which makes the data easier to read. The other nice thing is that you can see where a bulk of the activity is and, if needed, focus during that time frame.

With that being said, I focused on the questions that were asked from this exercise while not relying on Wireshark to look/hunt for the answers. The questions asked were:

- What was the IP address of the infected Windows computer?
- What was the host name of the infected Windows computer?
- What was the user account names from the infected Windows computer? (should be "name" not "names")
- What was the date and time the infection activity began?
- What was the family of malware that caused this infection.

With the initial screen up, I wanted to get an idea of what kind of data I was dealing with and where it was. So I started with the following query to help me understand what paths (in my head I think of these like indexes or perhaps sourcetypes from Splunk).

count() by _path | sort -r

This query let me know what the spread looked like from a data perspective and where I may needed to focus my hunt. The other query that I stumbled across stemmed from the Suricata queries built into Brim. The query used here was very much in the same vein of just getting the lay of the land, but from Suricata’s perspective.

count() by event_type

Seeing that Suricata saw “alerts” in the PCAP, I decided to drill down some here. For that I used the generic query of: alert

Here I saw that there were a mix of event-types between “alerts” and “SSL”. After looking at the SSL event-type, I decided that there was nothing there and that I did not need to focus any more there. So I changed the query to:

event_type=="alert"

to help narrow and focus my hunt. Here is where I started really investigating things since I could easily look at the different Suricata alert signatures triggered on while also easily seeing what the timestamp was for said alert. Considering the amount of data presented, I used this query to quickly help summarize what I was seeing from the above query:

event_type=="alert" | count() by alert.severity,alert.category,alert.signature,alert.signature_id,alert.rev | sort -r count

This query allowed me to summarize/count the data for “alert” since I was counting by the sev level, category, signature, and the signature revision.

This helped me answer the question of what type of malware was used in this infection. In this case, it looks to be Emotet/Dridex.

Switching back to the event_type=="alert" query, and scrolling all the way down to the earliest alert, I saw what looks to be the start of the compromise (between 19:42:00 – 19:43:00 timeframe) along with what I saw above – the family of malware associated with this infection.

I could also tell what the IP address of the compromised system was (10.12.3.66) and that there was a binary file that was seen in the PCAP as well as PoSH being used via the user-agent right before this binary file. Looking at the log detail for the binary that was downloaded:

I decided to take a quick look at where else these malicious IP addresses was seen in the PCAP. The query used for this was 139.59.6.175 which gave me the following information.

Right clicking on one of the hashes and then clicking on the “Virustotal Lookup” option in the pop-up menu lead me to the Virustotal page where the file was classified as “Dridex/Emotet”. The IP address seen with this binary came up clean on Virustotal and several other OSINT sites via Machinae.

********************************************************************************
* Information for 139.59.6.175
* Observable type: ipv4 (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with --list-sites</code>

[+] IP Whois Results
[-] ASN Information: ('14061', '139[.]59.0.0/20', '1990-06-27', 'apnic', 'SG')
[-] Network Information: ('139[.]59.0.0/20', 'DOIA2-AP', 'Digital Ocean Inc administrator', '139[.]59.0.0 - 139[.]59.15.255')
[-] Registration Info: ('DigitalOcean, LLC', '2020-05-31')
[-] Registration Locality: IN
[-] Abuse Email: abuse@digitalocean[.]com
abuse@digitalocean[.]com
[+] IPVoid Results
[-] Number of detections: 0
[-] IP Void Detection Rate: 0%
[-] No Malc0de Results
[-] No AbuseIPDB Results
[!] Error from RansomwareTracker: 503 Server Error: Backend unavailable, connection timeout for url: https://ransomwaretracker.abuse.ch/host/139.59.6.175
[-] No SANS Results
[!] Error from freegeoip.io: 403 Client Error: Forbidden for url: https://freegeoip.io/json/139.59.6.175
[+] Fortinet Category Results
[-] Fortinet URL Category: Not Rated
[-] No VirusTotal pDNS Results
[-] No McAfee Threat Results
[-] No ThreatCrowd IP Report Results
[-] No GreyNoise Results

One of the only places that I was able to find anything was on URLScan.

Looking at some of the other alerts from this query and drilling in, I wanted to first see what IP addresses were associated with each of the Dridex alerts skipping the SMTP ones as Emotet has, historically, used compromised systems to send out malspam which I suspect this is more of the same. So I will circle back to that later.

ET JA3 Hash - [Abuse.ch] Possible Dridex
ET CNC Feodo Tracker Reported CnC Server group 17
ET CNC Feodo Tracker Reported CnC Server group 18
ET CNC Feodo Tracker Reported CnC Server group 23

Using the following query I was able to pull these with relative ease:

"ET JA3 Hash - [Abuse.ch] Possible Dridex" | count() by dest_ip,dest_port
"ET CNC Feodo Tracker Reported CnC Server group 17" | count() by dest_ip,dest_port
"ET CNC Feodo Tracker Reported CnC Server group 18" | count() by dest_ip,dest_port
"ET CNC Feodo Tracker Reported CnC Server group 23" | count() by dest_ip,dest_port

Leaving me with the following IP addresses (merged for ease of readability):

CNT - IP : Dest_Port
-------------------
26 - 172.104.227.98 : 443
6 - 163.172.50.82 : 443
18 - 91.207.181.106 : 8080
1 - 51.159.35.157 : 443
1 - 51.75.33.120 : 443
1 - 91.207.181.106 : 8080

Machinae gave me back the following details about these IPs:

********************************************************************************
* Information for 172.104.227.98
* Observable type: ipv4 (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with --list-sites</code>

[+] IP Whois Results
[-] ASN Information: ('63949', '172[.]104.224.0/19', '2015-06-19', 'arin', 'US')
[-] Network Information: ('172[.]104.0.0/15', 'NET-172-104-0-0-1', 'LINODE-US', '172[.]104.0.0 - 172[.]105.255.255')
[-] Registration Info: ('Linode', '2015-06-19', '2016-12-29')
[-] Registration Locality: ('Philadelphia', 'PA', '19106', 'US')
[-] Abuse Email: abuse@linode[.]com
[-] Tech Email: support@linode[.]com
[+] IPVoid Results
[-] Number of detections: 5
[-] IP Void Detection Rate: 6%
[-] Engines: ('CRDF', '(hXXps)://threatcenter[.]crdf[.]fr/check[.]html')
[-] Engines: ('Feodo Tracker', '(hXXps)://feodotracker[.]abuse[.]ch/')
[-] Engines: ('IPsum', 'hXXps://github[.]com/stamparm/ipsum')
[-] Engines: ('JustSpam_org', '(hXXp)://www[.]justspam[.]org/')
[-] Engines: ('Snapt NovaSense', 'hXXps://novasense-threats[.]com/')
[-] No Malc0de Results
[+] AbuseIPDB Results
[-] AbuseIPDB reports: 2
[!] Error from RansomwareTracker: 503 Server Error: Backend unavailable, connection timeout for url: https://ransomwaretracker.abuse.ch/host/172.104.227.98
[-] No SANS Results
[!] Error from freegeoip.io: 403 Client Error: Forbidden for url: https://freegeoip.io/json/172.104.227.98
[+] Fortinet Category Results
[-] Fortinet URL Category: Malicious Websites
[+] VirusTotal pDNS Results
[-] pDNS malicious URLs from VirusTotal: ('2022-01-09', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2022-01-08', 'hXXp://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2022-01-07', 'hXXp://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2022-01-06', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2022-01-05', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2022-01-05', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2022-01-05', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2022-01-03', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2022-01-02', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-29', 'hXXp://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-29', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-29', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-28', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-28', 'hXXp://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-26', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-25', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-25', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-25', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-25', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-25', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-25', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-24', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-24', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-24', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-24', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-23', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-20', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-20', 'hXXp://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-17', 'hXXp://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-17', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-15', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-15', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-15', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-15', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-15', 'hXXp://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-15', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-15', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-15', 'hXXp://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-15', 'hXXp://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-14', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-14', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-13', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-13', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-13', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-13', 'hXXp://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-13', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-13', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-13', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-13', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-13', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-13', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-13', 'hXXp://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-13', 'hXXp://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-13', 'hXXp://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-13', 'hXXp://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-13', 'hXXp://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-13', 'hXXp://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-13', 'hXXp://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-13', 'hXXp://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-13', 'hXXp://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-13', 'hXXp://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-13', 'hXXp://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-13', 'hXXp://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-13', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-13', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-13', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-13', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-13', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-13', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-13', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-12', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-12', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-12', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-12', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-12', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-12', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-11', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-11', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-11', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-11', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-11', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-11', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-11', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-11', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-11', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-11', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-11', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-11', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-11', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-11', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-11', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-11', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-11', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-11', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-11', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-11', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-11', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-11', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-11', 'hXXps://172[.]104.227.98/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-11', 'hXXps://172[.]104.227.98/')
[-] No McAfee Threat Results
[-] No ThreatCrowd IP Report Results
[-] No GreyNoise Results
********************************************************************************
* Information for 163.172.50.82
* Observable type: ipv4 (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with --list-sites

[+] IP Whois Results
[-] ASN Information: ('12876', '163[.]172.0.0/16', '1992-02-14', 'ripencc', 'GB')
[-] Network Information: ('163[.]172.0.0/16', 'ONLINE_NET_DEDICATED_SERVERS', '163[.]172.0.0 - 163[.]172.255.255')
[-] Registration Info: ('Dedicated Servers and cloud assignment, abuse reports : (hXXp)://abuse[.]online[.]net', '2015-09-11', '2015-09-16')
[-] Registration Locality: FR
[+] IPVoid Results
[-] Number of detections: 1
[-] IP Void Detection Rate: 1%
[-] Engines: ('CRDF', '(hXXps)://threatcenter[.]crdf[.]fr/check[.]html')
[-] No Malc0de Results
[+] AbuseIPDB Results
[-] AbuseIPDB reports: 1
[!] Error from RansomwareTracker: 503 Server Error: Backend unavailable, connection timeout for url: https://ransomwaretracker.abuse.ch/host/163.172.50.82
[-] No SANS Results
[!] Error from freegeoip.io: 403 Client Error: Forbidden for url: https://freegeoip.io/json/163.172.50.82
[+] Fortinet Category Results
[-] Fortinet URL Category: Malicious Websites
[+] VirusTotal pDNS Results
[-] pDNS malicious URLs from VirusTotal: ('2021-12-24', 'hXXp://163[.]172.50.82/')
[-] No McAfee Threat Results
[-] No ThreatCrowd IP Report Results
[-] No GreyNoise Results
********************************************************************************
* Information for 91.207.181.106
* Observable type: ipv4 (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with --list-sites

[+] IP Whois Results
[-] ASN Information: ('48275', '91[.]207.181.0/24', '2008-10-30', 'ripencc', 'RU')
[-] Network Information: ('91[.]207.180.0/23', 'TSMS-ABKHAZIA-NET', '91[.]207.180.0 - 91[.]207.181.255')
[-] Registration Info: ('Abkhasia, Suhum', '2008-10-30', '2019-04-29')
[-] Registration Locality: RU
[+] IPVoid Results
[-] Number of detections: 5
[-] IP Void Detection Rate: 6%
[-] Engines: ('Barracuda_Reputation_BL', '(hXXp)://www[.]barracudanetworks[.]com/')
[-] Engines: ('CRDF', '(hXXps)://threatcenter[.]crdf[.]fr/check[.]html')
[-] Engines: ('Feodo Tracker', '(hXXps)://feodotracker[.]abuse[.]ch/')
[-] Engines: ('IPsum', 'hXXps://github[.]com/stamparm/ipsum')
[-] Engines: ('Snapt NovaSense', 'hXXps://novasense-threats[.]com/')
[-] No Malc0de Results
[+] AbuseIPDB Results
[-] AbuseIPDB reports: 1
[!] Error from RansomwareTracker: 503 Server Error: Backend unavailable, connection timeout for url: https://ransomwaretracker.abuse.ch/host/91.207.181.106
[-] No SANS Results
[!] Error from freegeoip.io: 403 Client Error: Forbidden for url: https://freegeoip.io/json/91.207.181.106
[+] Fortinet Category Results
[-] Fortinet URL Category: Malicious Websites
[+] VirusTotal pDNS Results
[-] pDNS data from VirusTotal: ('2022-01-06', 'a[.]am-a[.]su')
[-] pDNS data from VirusTotal: ('2022-01-06', 'admi[.]am-a[.]su')
[-] pDNS data from VirusTotal: ('2022-01-06', 'b[.]am-a[.]su')
[-] pDNS data from VirusTotal: ('2022-01-06', 'c[.]am-a[.]su')
[-] pDNS data from VirusTotal: ('2022-01-06', 'd[.]am-a[.]su')
[-] pDNS data from VirusTotal: ('2022-01-06', 'dev[.]am-a[.]su')
[-] pDNS data from VirusTotal: ('2022-01-06', 'dmarc[.]am-a[.]su')
[-] pDNS data from VirusTotal: ('2022-01-06', 'e[.]am-a[.]su')
[-] pDNS data from VirusTotal: ('2022-01-06', 'f[.]am-a[.]su')
[-] pDNS data from VirusTotal: ('2022-01-06', 'g[.]am-a[.]su')
[-] pDNS data from VirusTotal: ('2022-01-06', 'razarizaru[.]am-a[.]su')
[-] pDNS data from VirusTotal: ('2022-01-06', 'suerside[.]am-a[.]su')
[-] pDNS data from VirusTotal: ('2022-01-06', 'tvip[.]am-a[.]su')
[-] pDNS data from VirusTotal: ('2022-01-06', 'www.klient[.]am-a[.]su')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-15', 'hXXps://91[.]207.181.106/')
[-] pDNS malicious URLs from VirusTotal: ('2021-12-15', 'hXXp://91[.]207.181.106/')
[-] No McAfee Threat Results
[-] No ThreatCrowd IP Report Results
[-] No GreyNoise Results
********************************************************************************
* Information for 51.159.35.157
* Observable type: ipv4 (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with --list-sites

[+] IP Whois Results
[-] ASN Information: ('12876', '51[.]158.0.0/15', '1993-09-01', 'ripencc', 'FR')
[-] Network Information: ('51[.]159.0.0/16', 'ONLINENET_DEDICATED_SERVERS', '51[.]159.0.0 - 51[.]159.255.255')
[-] Registration Info: ('2018-02-09', '2018-02-28')
[-] Registration Locality: FR
[+] IPVoid Results
[-] Number of detections: 3
[-] IP Void Detection Rate: 3%
[-] Engines: ('CRDF', '(hXXps)://threatcenter[.]crdf[.]fr/check[.]html')
[-] Engines: ('IPsum', 'hXXps://github[.]com/stamparm/ipsum')
[-] Engines: ('Snapt NovaSense', 'hXXps://novasense-threats[.]com/')
[-] No Malc0de Results
[+] AbuseIPDB Results
[-] AbuseIPDB reports: 1
[!] Error from RansomwareTracker: 503 Server Error: Backend unavailable, connection timeout for url: https://ransomwaretracker.abuse.ch/host/51.159.35.157
[-] No SANS Results
[!] Error from freegeoip.io: 403 Client Error: Forbidden for url: https://freegeoip.io/json/51.159.35.157
[+] Fortinet Category Results
[-] Fortinet URL Category: Malicious Websites
[+] VirusTotal pDNS Results
[-] pDNS malicious URLs from VirusTotal: ('2021-12-15', 'hXXp://51[.]159.35.157/')
[-] No McAfee Threat Results
[-] No ThreatCrowd IP Report Results
[-] No GreyNoise Results
********************************************************************************
* Information for 51.75.33.120
* Observable type: ipv4 (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with --list-sites

[+] IP Whois Results
[-] ASN Information: ('16276', '51[.]75.0.0/16', '1993-09-01', 'ripencc', 'FR')
[-] Network Information: ('51[.]75.33.120/29', 'OVH_251937800', '51[.]75.33.120 - 51[.]75.33.127')
[-] Registration Info: ('Failover Ips', '2019-12-26', '2019-12-26')
[-] Registration Locality: PL
[-] Abuse Email: abuse@ovh[.]net
[+] IPVoid Results
[-] Number of detections: 3
[-] IP Void Detection Rate: 3%
[-] Engines: ('CRDF', '(hXXps)://threatcenter[.]crdf[.]fr/check[.]html')
[-] Engines: ('IPsum', 'hXXps://github[.]com/stamparm/ipsum')
[-] Engines: ('Snapt NovaSense', 'hXXps://novasense-threats[.]com/')
[-] No Malc0de Results
[+] AbuseIPDB Results
[-] AbuseIPDB reports: 1
[!] Error from RansomwareTracker: 503 Server Error: Backend unavailable, connection timeout for url: https://ransomwaretracker.abuse.ch/host/51.75.33.120
[-] No SANS Results
[!] Error from freegeoip.io: 403 Client Error: Forbidden for url: https://freegeoip.io/json/51.75.33.120
[+] Fortinet Category Results
[-] Fortinet URL Category: Malicious Websites
[!] Error from VirusTotal pDNS: Expecting value: line 1 column 1 (char 0)
[-] No McAfee Threat Results
[-] No ThreatCrowd IP Report Results
[-] No GreyNoise Results
********************************************************************************
* Information for 91.207.181.106
* Observable type: ipv4 (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with --list-sites

[+] IP Whois Results
[-] ASN Information: ('48275', '91[.]207.181.0/24', '2008-10-30', 'ripencc', 'RU')
[-] Network Information: ('91[.]207.180.0/23', 'TSMS-ABKHAZIA-NET', '91[.]207.180.0 - 91[.]207.181.255')
[-] Registration Info: ('Abkhasia, Suhum', '2008-10-30', '2019-04-29')
[-] Registration Locality: RU
[+] IPVoid Results
[-] Number of detections: 5
[-] IP Void Detection Rate: 6%
[-] Engines: ('Barracuda_Reputation_BL', '(hXXp)://www[.]barracudanetworks[.]com/')
[-] Engines: ('CRDF', '(hXXps)://threatcenter[.]crdf[.]fr/check[.]html')
[-] Engines: ('Feodo Tracker', '(hXXps)://feodotracker[.]abuse[.]ch/')
[-] Engines: ('IPsum', 'hXXps://github[.]com/stamparm/ipsum')
[-] Engines: ('Snapt NovaSense', 'hXXps://novasense-threats[.]com/')
[-] No Malc0de Results
[+] AbuseIPDB Results
[-] AbuseIPDB reports: 1
[!] Error from RansomwareTracker: 503 Server Error: Backend unavailable, connection timeout for url: https://ransomwaretracker.abuse.ch/host/91.207.181.106
[-] No SANS Results
[!] Error from freegeoip.io: 403 Client Error: Forbidden for url: https://freegeoip.io/json/91.207.181.106
[+] Fortinet Category Results
[-] Fortinet URL Category: Malicious Websites
[!] Error from VirusTotal pDNS: Expecting value: line 1 column 1 (char 0)
[-] No McAfee Threat Results
[-] No ThreatCrowd IP Report Results
[-] No GreyNoise Results

I pivoted to see what kind of connections had been made to these malicious IP addresses. I did this using the following query:

_path=="conn" conn_state!="REJ" | 172.104.227.98 or 163.172.50.82 or 91.207.181.106 or 51.159.35.157 or 51.75.33.120 or 91.207.181.106

where conn_state!="REJ" excluded anything with the REJ status (see this link from the Zeek doc for more information). That gave me the following:

It was here that I could see how frequent the callouts where from the compromised system and how much data was passed. It also looks like the traffic is either encrypted (TCP/443) or encoded (TCP/8080) so unfortunately I could not see what happened there.

I then pivoted from here to see how many malicious JA3/JA3S hashes were seen based on IP address. Using the query:

_path=="ssl" | count() by id.resp_h,ja3,ja3s | sort -r count

gave me the following list of IPs/hashes:

id.resp_h	ja3	ja3s	count
172.104.227.98	51c64c77e60f3980eea90869b68c58a8	fd4bc6cea4877646ccd62f0792ec0b62	23
91.207.181.106	51c64c77e60f3980eea90869b68c58a8	fd4bc6cea4877646ccd62f0792ec0b62	16
212.227.15.183	37cdab6ff1bd1c195bacb776c5213bf2	265fb1760174263f1728167115d17fe8	10
108.177.122.108	37cdab6ff1bd1c195bacb776c5213bf2	187380bdca925da6fbafacf0d356d2fe	8
81.169.145.133	37cdab6ff1bd1c195bacb776c5213bf2	e54965894d6b45ecb4323c7ea3d6c115	7
194.25.134.114	37cdab6ff1bd1c195bacb776c5213bf2	ec74a5c51106f0419184d0dd08fb05bc	6
173.247.253.179	37cdab6ff1bd1c195bacb776c5213bf2	0debd3853f330c574b05e0b6d882dc27	5
202.53.169.50	37cdab6ff1bd1c195bacb776c5213bf2	e35df3e00ca4ef31d42b34bebaa2f86e	4
108.177.122.108	37cdab6ff1bd1c195bacb776c5213bf2	2b341b88c742e940cfb485ce7d93dde7	4
213.165.67.113	37cdab6ff1bd1c195bacb776c5213bf2	265fb1760174263f1728167115d17fe8	4
172.104.227.98	51c64c77e60f3980eea90869b68c58a8	ec74a5c51106f0419184d0dd08fb05bc	3
163.172.50.82	51c64c77e60f3980eea90869b68c58a8	fd4bc6cea4877646ccd62f0792ec0b62	3
204.79.197.200	6271f898ce5be7dd52b0fc260d0662b3	fbe594b39bb5d9c53aa4f6caf8d2950c	3
80.67.29.4	37cdab6ff1bd1c195bacb776c5213bf2	0debd3853f330c574b05e0b6d882dc27	3
64.233.177.16	37cdab6ff1bd1c195bacb776c5213bf2	2b341b88c742e940cfb485ce7d93dde7	3
118.69.221.62	37cdab6ff1bd1c195bacb776c5213bf2	ae4edc6faf64d08308082ad26be60767	3
163.172.50.82	51c64c77e60f3980eea90869b68c58a8	ec74a5c51106f0419184d0dd08fb05bc	3
74.208.5.15	37cdab6ff1bd1c195bacb776c5213bf2	265fb1760174263f1728167115d17fe8	3
212.227.17.168	37cdab6ff1bd1c195bacb776c5213bf2	265fb1760174263f1728167115d17fe8	2
108.167.153.167	37cdab6ff1bd1c195bacb776c5213bf2	0debd3853f330c574b05e0b6d882dc27	2
199.79.63.117	37cdab6ff1bd1c195bacb776c5213bf2	0debd3853f330c574b05e0b6d882dc27	2
194.25.134.46	37cdab6ff1bd1c195bacb776c5213bf2	ec74a5c51106f0419184d0dd08fb05bc	2
192.185.169.164	37cdab6ff1bd1c195bacb776c5213bf2	0debd3853f330c574b05e0b6d882dc27	2
195.4.92.213	37cdab6ff1bd1c195bacb776c5213bf2	7c77dc02a42c4259b2f00e282bf3f89d	2
91.207.181.106	51c64c77e60f3980eea90869b68c58a8	ec74a5c51106f0419184d0dd08fb05bc	2
74.220.199.65	37cdab6ff1bd1c195bacb776c5213bf2	0debd3853f330c574b05e0b6d882dc27	2
184.168.200.246	37cdab6ff1bd1c195bacb776c5213bf2	0debd3853f330c574b05e0b6d882dc27	2
213.46.255.64	37cdab6ff1bd1c195bacb776c5213bf2	76c691f46143bf86e2d1bb73c6187767	2
2.207.150.234	37cdab6ff1bd1c195bacb776c5213bf2	ec74a5c51106f0419184d0dd08fb05bc	2
213.165.67.124	37cdab6ff1bd1c195bacb776c5213bf2	265fb1760174263f1728167115d17fe8	2
208.91.199.15	37cdab6ff1bd1c195bacb776c5213bf2	649d6810e8392f63dc311eecb6b7098b	1
118.23.155.30	37cdab6ff1bd1c195bacb776c5213bf2	5af4c2c17ac0918c8ce8379db04e21f9	1
194.150.248.156	37cdab6ff1bd1c195bacb776c5213bf2	0debd3853f330c574b05e0b6d882dc27	1
74.220.206.23	37cdab6ff1bd1c195bacb776c5213bf2	0debd3853f330c574b05e0b6d882dc27	1
171.25.222.37	37cdab6ff1bd1c195bacb776c5213bf2	e35df3e00ca4ef31d42b34bebaa2f86e	1
86.111.37.33	37cdab6ff1bd1c195bacb776c5213bf2	5af4c2c17ac0918c8ce8379db04e21f9	1
173.201.192.229	37cdab6ff1bd1c195bacb776c5213bf2	e35df3e00ca4ef31d42b34bebaa2f86e	1
94.73.163.242	37cdab6ff1bd1c195bacb776c5213bf2	0debd3853f330c574b05e0b6d882dc27	1
204.79.197.203	37f463bf4616ecd445d4a1937da06e19	1ae6020839f37465cc81f5f37480fd1e	1
106.187.245.203	37cdab6ff1bd1c195bacb776c5213bf2	adc06261ef82c2e4688b3cf08c1b2f24	1
103.138.88.100	37cdab6ff1bd1c195bacb776c5213bf2	0debd3853f330c574b05e0b6d882dc27	1
77.55.141.119	37cdab6ff1bd1c195bacb776c5213bf2	1af33e1657631357c73119488045302c	1
195.186.120.54	37cdab6ff1bd1c195bacb776c5213bf2	0debd3853f330c574b05e0b6d882dc27	1
212.77.101.1	37cdab6ff1bd1c195bacb776c5213bf2	e35df3e00ca4ef31d42b34bebaa2f86e	1
20.72.205.209	28a2c9bd18a11de089ef85a160da29e4	3ffaa1393a2bf5ecfc7b6b2323452f2d	1
52.109.12.23	28a2c9bd18a11de089ef85a160da29e4	67bfe5d15ae567fb35fd7837f0116eec	1
194.177.200.158	37cdab6ff1bd1c195bacb776c5213bf2	ec74a5c51106f0419184d0dd08fb05bc	1
199.168.117.91	37cdab6ff1bd1c195bacb776c5213bf2	0debd3853f330c574b05e0b6d882dc27	1
211.13.204.5	37cdab6ff1bd1c195bacb776c5213bf2	e35df3e00ca4ef31d42b34bebaa2f86e	1
203.211.136.199	37cdab6ff1bd1c195bacb776c5213bf2	0debd3853f330c574b05e0b6d882dc27	1
186.202.161.96	37cdab6ff1bd1c195bacb776c5213bf2	e35df3e00ca4ef31d42b34bebaa2f86e	1
23.3.6.28	3b5074b1b5d032e5620f69f9f700ff0e	4b7d5f58af981be54baeda917533e5d8	1
103.20.190.24	37cdab6ff1bd1c195bacb776c5213bf2	0debd3853f330c574b05e0b6d882dc27	1
192.185.121.134	37cdab6ff1bd1c195bacb776c5213bf2	0debd3853f330c574b05e0b6d882dc27	1
52.109.8.24	a0e9f5d64349fb13191bc781f81f42e1	986571066668055ae9481cb84fda634a	1
59.157.128.3	37cdab6ff1bd1c195bacb776c5213bf2	5af4c2c17ac0918c8ce8379db04e21f9	1
186.64.117.195	37cdab6ff1bd1c195bacb776c5213bf2	0debd3853f330c574b05e0b6d882dc27	1
193.70.98.8	37cdab6ff1bd1c195bacb776c5213bf2	ec74a5c51106f0419184d0dd08fb05bc	1
149.126.6.109	37cdab6ff1bd1c195bacb776c5213bf2	303951d4c50efb2e991652225a6f02b1	1
65.99.225.177	37cdab6ff1bd1c195bacb776c5213bf2	0debd3853f330c574b05e0b6d882dc27	1
64.136.52.50	37cdab6ff1bd1c195bacb776c5213bf2	7b6819ed58e8d8415604b7dfcef92d55	1
52.109.12.19	a0e9f5d64349fb13191bc781f81f42e1	986571066668055ae9481cb84fda634a	1
151.80.93.33	37cdab6ff1bd1c195bacb776c5213bf2	b8d072db1f2e5be0acbae44d5808eca0	1
68.178.252.229	37cdab6ff1bd1c195bacb776c5213bf2	e35df3e00ca4ef31d42b34bebaa2f86e	1
65.87.230.25	37cdab6ff1bd1c195bacb776c5213bf2	e35df3e00ca4ef31d42b34bebaa2f86e	1
77.244.243.66	37cdab6ff1bd1c195bacb776c5213bf2	e54965894d6b45ecb4323c7ea3d6c115	1
93.157.100.35	37cdab6ff1bd1c195bacb776c5213bf2	ec74a5c51106f0419184d0dd08fb05bc	1
89.161.196.12	37cdab6ff1bd1c195bacb776c5213bf2	ec74a5c51106f0419184d0dd08fb05bc	1
192.254.250.163	37cdab6ff1bd1c195bacb776c5213bf2	0debd3853f330c574b05e0b6d882dc27	1
34.68.202.102	37cdab6ff1bd1c195bacb776c5213bf2	ec74a5c51106f0419184d0dd08fb05bc	1
108.179.194.17	37cdab6ff1bd1c195bacb776c5213bf2	0debd3853f330c574b05e0b6d882dc27	1
184.168.200.22	37cdab6ff1bd1c195bacb776c5213bf2	0debd3853f330c574b05e0b6d882dc27	1
89.216.47.170	37cdab6ff1bd1c195bacb776c5213bf2	e35df3e00ca4ef31d42b34bebaa2f86e	1
51.81.229.171	37cdab6ff1bd1c195bacb776c5213bf2	853a40879f82a9da4ed2e19c590c05ea	1
206.188.198.65	37cdab6ff1bd1c195bacb776c5213bf2	5af4c2c17ac0918c8ce8379db04e21f9	1
95.110.223.11	37cdab6ff1bd1c195bacb776c5213bf2	e35df3e00ca4ef31d42b34bebaa2f86e	1
213.191.128.76	37cdab6ff1bd1c195bacb776c5213bf2	e35df3e00ca4ef31d42b34bebaa2f86e	1
89.161.250.151	37cdab6ff1bd1c195bacb776c5213bf2	ec74a5c51106f0419184d0dd08fb05bc	1
108.167.189.110	37cdab6ff1bd1c195bacb776c5213bf2	0debd3853f330c574b05e0b6d882dc27	1
212.227.17.190	37cdab6ff1bd1c195bacb776c5213bf2	265fb1760174263f1728167115d17fe8	1
185.151.28.85	37cdab6ff1bd1c195bacb776c5213bf2		                                1
203.219.165.58	37cdab6ff1bd1c195bacb776c5213bf2	faa88e75a7471aaa07850841e28f87f1	1
20.50.201.200	28a2c9bd18a11de089ef85a160da29e4	678aeaf909676262acfb913ccb78a126	1
40.83.240.146	3b5074b1b5d032e5620f69f9f700ff0e	ae4edc6faf64d08308082ad26be60767	1
96.114.157.81	37cdab6ff1bd1c195bacb776c5213bf2	e35df3e00ca4ef31d42b34bebaa2f86e	1
194.25.134.110	37cdab6ff1bd1c195bacb776c5213bf2	ec74a5c51106f0419184d0dd08fb05bc	1
80.249.167.173	37cdab6ff1bd1c195bacb776c5213bf2	5af4c2c17ac0918c8ce8379db04e21f9	1
216.172.184.136	37cdab6ff1bd1c195bacb776c5213bf2	0debd3853f330c574b05e0b6d882dc27	1
166.78.79.129	37cdab6ff1bd1c195bacb776c5213bf2	e35df3e00ca4ef31d42b34bebaa2f86e	1
162.241.252.143	37cdab6ff1bd1c195bacb776c5213bf2	0debd3853f330c574b05e0b6d882dc27	1
192.252.149.15	37cdab6ff1bd1c195bacb776c5213bf2	ec74a5c51106f0419184d0dd08fb05bc	1
208.84.244.140	37cdab6ff1bd1c195bacb776c5213bf2	0debd3853f330c574b05e0b6d882dc27	1
66.111.4.52	37cdab6ff1bd1c195bacb776c5213bf2	1af33e1657631357c73119488045302c	1
202.137.236.12	37cdab6ff1bd1c195bacb776c5213bf2	5af4c2c17ac0918c8ce8379db04e21f9	1
207.8.183.5	37cdab6ff1bd1c195bacb776c5213bf2	9706b574e4b03c78a957ef707abe134f	1
200.63.98.23	37cdab6ff1bd1c195bacb776c5213bf2	0debd3853f330c574b05e0b6d882dc27	1
205.178.146.249	37cdab6ff1bd1c195bacb776c5213bf2	5af4c2c17ac0918c8ce8379db04e21f9	1
52.109.8.24	28a2c9bd18a11de089ef85a160da29e4	67bfe5d15ae567fb35fd7837f0116eec	1
68.178.252.101	37cdab6ff1bd1c195bacb776c5213bf2	e35df3e00ca4ef31d42b34bebaa2f86e	1
192.64.117.195	37cdab6ff1bd1c195bacb776c5213bf2	0debd3853f330c574b05e0b6d882dc27	1
52.153.255.201	6271f898ce5be7dd52b0fc260d0662b3	ae4edc6faf64d08308082ad26be60767	1
80.237.132.157	37cdab6ff1bd1c195bacb776c5213bf2	7c77dc02a42c4259b2f00e282bf3f89d	1

Seeing how much data was there, I scaled this back to only give me the hashes that were unique via the the following query:

_path=="ssl" | cut | sort | uniq

Note that I had to use ja3 OR ja3s individually in the above query which was then piped into sort since it would group all the same hashes together which would then be normalized via the “uniq” command.

ja3
28a2c9bd18a11de089ef85a160da29e4
37cdab6ff1bd1c195bacb776c5213bf2
37f463bf4616ecd445d4a1937da06e19
3b5074b1b5d032e5620f69f9f700ff0e
51c64c77e60f3980eea90869b68c58a8
6271f898ce5be7dd52b0fc260d0662b3
a0e9f5d64349fb13191bc781f81f42e1

ja3s
0debd3853f330c574b05e0b6d882dc27
187380bdca925da6fbafacf0d356d2fe
1ae6020839f37465cc81f5f37480fd1e
1af33e1657631357c73119488045302c
265fb1760174263f1728167115d17fe8
2b341b88c742e940cfb485ce7d93dde7
303951d4c50efb2e991652225a6f02b1
3ffaa1393a2bf5ecfc7b6b2323452f2d
4b7d5f58af981be54baeda917533e5d8
5af4c2c17ac0918c8ce8379db04e21f9
649d6810e8392f63dc311eecb6b7098b
678aeaf909676262acfb913ccb78a126
67bfe5d15ae567fb35fd7837f0116eec
76c691f46143bf86e2d1bb73c6187767
7b6819ed58e8d8415604b7dfcef92d55
7c77dc02a42c4259b2f00e282bf3f89d
853a40879f82a9da4ed2e19c590c05ea
9706b574e4b03c78a957ef707abe134f
986571066668055ae9481cb84fda634a
adc06261ef82c2e4688b3cf08c1b2f24
ae4edc6faf64d08308082ad26be60767
b8d072db1f2e5be0acbae44d5808eca0
e35df3e00ca4ef31d42b34bebaa2f86e
e54965894d6b45ecb4323c7ea3d6c115
ec74a5c51106f0419184d0dd08fb05bc
faa88e75a7471aaa07850841e28f87f1
fbe594b39bb5d9c53aa4f6caf8d2950c
fd4bc6cea4877646ccd62f0792ec0b62

The only one that was found over on SSLBL Abuse was 51c64c77e60f3980eea90869b68c58a8 which has been seen as early as December 25th and also classified as “Dridex”.

So now knowing the timeframe of the infection, the IP address of the compromised system, and the malware used here in this compromise, the only thing that is left to check are 1) did the compromised system talk to any other systems on the network, 2) what were the HTTP requests like and 3) what are the SMTP messages about. So checking to see what kind of communications happened between this system and any others on the internal network I used this query looking for anything that was more then 4 packets from the source or destination:

id.orig_h==10.12.3.0/24 and id.resp_h==10.12.3.0/24 | cut ts,uid,id.orig_h,id.orig_p,id.resp_h,id.resp_p,proto,service,duration,orig_bytes,resp_bytes,conn_state,history,orig_pkts,orig_ip_bytes,resp_pkts,resp_ip_bytes | orig_pkts >= 4 and resp_pkts >= 4 | sort -r duration

I didn’t see anything that stood out as being malicious and no other systems outside of the DC were found.

For any HTTP communications, I really didn’t see much there outside of what was found already as seen below.

I also remembered that there were other files seen in the PCAP that I forgot about. Using the following query I was able to take a quick look at them. Based on those results, there were some image files, some Excel macro-spreadsheets, and some zip files. Once again knowing that this is related to Emotet, I am pretty sure that this is related to malspam and the SMTP messages that I saw earlier.

_path=="files" filename!=null | cut _path, ts, tx_hosts, rx_hosts, conn_uids, mime_type, filename, md5, sha1

Exporting out the hashes and performing a “uniq” like above, I was able to get the following information.

_path=="files" filename!=null | cut filename, md5, sha1 | sort | uniq

filename	md5	sha1
IE7MnYfF4c.dll	2f93cb3701205b257b8ef5e76545923b	c53d45e900d52a0a4802f858ac94a10bdbff3d15
PO261171204827.xlsm	f1f0d756f2a033f3c0e3ba93e9d7700e	1ae741607fa5ce9601ffdd9bd3aba50f1c9373e2
SCAN_1006384431078587279.zip	8685f97ae99114fa480ab5076c30b8da	cfbf2e08d4fbc1d82774e05738273acd374d0d10
XLSM22952905865844.xlsm	8827e861b25e27768d02dd12c1aa855b	86659503579263c2fe9b292a3ccae2ff3a51ad5f
image001.jpg	5aeee5d27cd8a8a66d6d28a6302d766c	2ab7206b021f365354e9a869935da4aa2ab8b0e3
image001.png	4fb1e0a0346c90848f20345e45ecb93f	f3d0497aefd0defe7d869d59961b18fe01c44f9b
image001.png	fa156a85cb085820775a39bafc66dfce	ed5973a6b2965db690308510435e48958d44c7c6
image002.png	aa5fd7385d934ac88301466e88f14d92	672c5dd1636dcce3dad8cd716d475fd01f100804

Looking those hashes up with Machinae gave me back the following hits:

2f93cb3701205b257b8ef5e76545923b
c53d45e900d52a0a4802f858ac94a10bdbff3d15
f1f0d756f2a033f3c0e3ba93e9d7700e
1ae741607fa5ce9601ffdd9bd3aba50f1c9373e2
8827e861b25e27768d02dd12c1aa855b
86659503579263c2fe9b292a3ccae2ff3a51ad5f

********************************************************************************
* Information for 2f93cb3701205b257b8ef5e76545923b
* Observable type: hash (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with --list-sites

[-] No Malc0de Results
[+] VirusTotal File Report Results
    [-] Date submitted: 2021-12-20 08:06:09
    [-] Detected engines: 51
    [-] Total engines: 67
    [-] Scans: ('Lionic', 'Trojan[.]Win32[.]Emotet.L!c')
    [-] Scans: ('MicroWorld-eScan', 'Trojan[.]GenericKD.47553818')
    [-] Scans: ('FireEye', 'Generic[.]mg.2f93cb3701205b25')
    [-] Scans: ('CAT-QuickHeal', 'Trojan[.]IGENERIC')
    [-] Scans: ('McAfee', 'Emotet-FSQ!2F93CB370120')
    [-] Scans: ('Cylance', 'Unsafe')
    [-] Scans: ('Zillya', 'Trojan[.]Emotet[.]Win32.62068')
    [-] Scans: ('K7AntiVirus', 'Trojan ( 0058b4901 )')
    [-] Scans: ('Alibaba', 'Trojan:Win32/Emotet.8317975f')
    [-] Scans: ('K7GW', 'Trojan ( 0058b4901 )')
    [-] Scans: ('CrowdStrike', 'win/malicious_confidence_100% (W)')
    [-] Scans: ('VirIT', 'Trojan.Win32[.]Emotet[.]DDW')
    [-] Scans: ('Cyren', 'W32/Emotet[.]EDV[.]gen!Eldorado')
    [-] Scans: ('Symantec', 'Trojan Horse')
    [-] Scans: ('ESET-NOD32', 'a variant of Win32/Kryptik[.]HNNQ')
    [-] Scans: ('TrendMicro-HouseCall', 'TrojanSpy.Win32[.]EMOTET[.]YXBLCZ')
    [-] Scans: ('Paloalto', 'generic[.]ml')
    [-] Scans: ('ClamAV', 'Win[.]Malware[.]Generic-9909860-0')
    [-] Scans: ('Kaspersky', 'Trojan-Banker.Win32[.]Emotet[.]ghji')
    [-] Scans: ('BitDefender', 'Trojan[.]GenericKD.47553818')
    [-] Scans: ('Avast', 'Win32:CrypterX-gen [Trj]')
    [-] Scans: ('Tencent', 'Malware[.]Win32[.]Gencirc.10cf91d4')
    [-] Scans: ('Ad-Aware', 'Trojan[.]GenericKD.47553818')
    [-] Scans: ('Sophos', 'Mal/Generic-R + Troj/Emotet-CWR')
    [-] Scans: ('Comodo', '.UnclassifiedMalware@0')
    [-] Scans: ('DrWeb', 'Trojan[.]Emotet.1124')
    [-] Scans: ('TrendMicro', 'TrojanSpy.Win32[.]EMOTET[.]YXBLCZ')
    [-] Scans: ('McAfee-GW-Edition', 'Emotet-FSQ!2F93CB370120')
    [-] Scans: ('Emsisoft', 'Trojan[.]Crypt (A)')
    [-] Scans: ('GData', 'Trojan[.]GenericKD.47553818')
    [-] Scans: ('Jiangmin', 'Trojan.Banker[.]Emotet[.]qzt')
    [-] Scans: ('Webroot', 'W32[.]Trojan[.]Emotet')
    [-] Scans: ('Avira', 'TR/AD[.]Nekark[.]avuwq')
    [-] Scans: ('MAX', 'malware (ai score=81)')
    [-] Scans: ('Antiy-AVL', 'Trojan/Generic[.]ASMalwS.34E4DB1')
    [-] Scans: ('Kingsoft', 'Win32[.]Troj[.]Generic_a.a.(kcloud)')
    [-] Scans: ('Gridinsoft', 'Ransom.Win32[.]Sabsik[.]oa')
    [-] Scans: ('Microsoft', 'Trojan:Win32/Emotet[.]PAM!MTB')
    [-] Scans: ('Cynet', 'Malicious (score: 100)')
    [-] Scans: ('AhnLab-V3', 'Trojan/Win[.]Emotet.R456215')
    [-] Scans: ('VBA32', 'TrojanBanker[.]Emotet')
    [-] Scans: ('ALYac', 'Trojan[.]Agent[.]Emotet')
    [-] Scans: ('Malwarebytes', 'Trojan[.]Crypt')
    [-] Scans: ('Ikarus', 'Trojan[.]Win32[.]Crypt')
    [-] Scans: ('Rising', 'Trojan[.]Kryptik!1.DAEF (CLASSIC)')
    [-] Scans: ('Yandex', 'Trojan[.]PWS[.]Emotet!kI3B40T2sck')
    [-] Scans: ('SentinelOne', 'Static AI - Suspicious PE')
    [-] Scans: ('MaxSecure', 'Trojan[.]Malware.133255221[.]susgen')
    [-] Scans: ('Fortinet', 'W32/Mikey.D205!tr')
    [-] Scans: ('AVG', 'Win32:CrypterX-gen [Trj]')
    [-] Scans: ('Panda', 'Trj/GdSda.A')
[!] Error from ThreatExpert: HTTPConnectionPool(host='www.threatexpert.com', port=80): Max retries exceeded with url: /report.aspx?md5=2f93cb3701205b257b8ef5e76545923b (Caused by NewConnectionError(': Failed to establish a new connection: [Errno -2] Name or service not known'))
[-] No VxVault Results
[!] Error from Cymru MHR: HTTPSConnectionPool(host='hash.cymru.com', port=443): Max retries exceeded with url: /cgi-bin/bulkmhr.cgi (Caused by NewConnectionError(': Failed to establish a new connection: [Errno -2] Name or service not known'))
[+] MetaDefender File Report Results
    [-] Date submitted: 2021-12-06T05:35:38.444Z
    [-] Detected engines: 12
    [-] Total engines: 34
    [-] Scans: ('Ahnlab', 'Trojan/Win[.]Emotet')
    [-] Scans: ('Avira', 'TR/AD[.]Nekark[.]avuwq')
    [-] Scans: ('BitDefender', 'Trojan[.]GenericKD.47553818')
    [-] Scans: ('ClamAV', 'Win[.]Malware[.]Generic-9909860-0')
    [-] Scans: ('Cyren', 'W32/Emotet[.]EDV[.]gen!Eldorado')
    [-] Scans: ('ESET', 'a variant of Win32/Kryptik[.]HNNQ trojan')
    [-] Scans: ('Emsisoft', 'Trojan[.]GenericKD.47553818 (B)')
    [-] Scans: ('Huorong', 'Trojan/Emotet[.]ki')
    [-] Scans: ('Ikarus', 'Trojan[.]Win32[.]Crypt')
    [-] Scans: ('Jiangmin', 'Unavailable (production)')
    [-] Scans: ('K7', 'Trojan ( 0058b4901 )')
    [-] Scans: ('Kaspersky', 'Trojan-Banker.Win32[.]Emotet[.]ghji')
    [-] Scans: ('Xvirus Personal Guard', 'Hacktool[.]Crypter.40')
********************************************************************************
* Information for c53d45e900d52a0a4802f858ac94a10bdbff3d15
* Observable type: hash.sha1 (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with --list-sites

[+] VirusTotal File Report Results
    [-] Date submitted: 2021-12-20 08:06:09
    [-] Detected engines: 51
    [-] Total engines: 67
    [-] Scans: ('Lionic', 'Trojan[.]Win32[.]Emotet.L!c')
    [-] Scans: ('MicroWorld-eScan', 'Trojan[.]GenericKD.47553818')
    [-] Scans: ('FireEye', 'Generic[.]mg.2f93cb3701205b25')
    [-] Scans: ('CAT-QuickHeal', 'Trojan[.]IGENERIC')
    [-] Scans: ('McAfee', 'Emotet-FSQ!2F93CB370120')
    [-] Scans: ('Cylance', 'Unsafe')
    [-] Scans: ('Zillya', 'Trojan[.]Emotet[.]Win32.62068')
    [-] Scans: ('K7AntiVirus', 'Trojan ( 0058b4901 )')
    [-] Scans: ('Alibaba', 'Trojan:Win32/Emotet.8317975f')
    [-] Scans: ('K7GW', 'Trojan ( 0058b4901 )')
    [-] Scans: ('CrowdStrike', 'win/malicious_confidence_100% (W)')
    [-] Scans: ('VirIT', 'Trojan.Win32[.]Emotet[.]DDW')
    [-] Scans: ('Cyren', 'W32/Emotet[.]EDV[.]gen!Eldorado')
    [-] Scans: ('Symantec', 'Trojan Horse')
    [-] Scans: ('ESET-NOD32', 'a variant of Win32/Kryptik[.]HNNQ')
    [-] Scans: ('TrendMicro-HouseCall', 'TrojanSpy.Win32[.]EMOTET[.]YXBLCZ')
    [-] Scans: ('Paloalto', 'generic[.]ml')
    [-] Scans: ('ClamAV', 'Win[.]Malware[.]Generic-9909860-0')
    [-] Scans: ('Kaspersky', 'Trojan-Banker.Win32[.]Emotet[.]ghji')
    [-] Scans: ('BitDefender', 'Trojan[.]GenericKD.47553818')
    [-] Scans: ('Avast', 'Win32:CrypterX-gen [Trj]')
    [-] Scans: ('Tencent', 'Malware[.]Win32[.]Gencirc.10cf91d4')
    [-] Scans: ('Ad-Aware', 'Trojan[.]GenericKD.47553818')
    [-] Scans: ('Sophos', 'Mal/Generic-R + Troj/Emotet-CWR')
    [-] Scans: ('Comodo', '.UnclassifiedMalware@0')
    [-] Scans: ('DrWeb', 'Trojan[.]Emotet.1124')
    [-] Scans: ('TrendMicro', 'TrojanSpy.Win32[.]EMOTET[.]YXBLCZ')
    [-] Scans: ('McAfee-GW-Edition', 'Emotet-FSQ!2F93CB370120')
    [-] Scans: ('Emsisoft', 'Trojan[.]Crypt (A)')
    [-] Scans: ('GData', 'Trojan[.]GenericKD.47553818')
    [-] Scans: ('Jiangmin', 'Trojan.Banker[.]Emotet[.]qzt')
    [-] Scans: ('Webroot', 'W32[.]Trojan[.]Emotet')
    [-] Scans: ('Avira', 'TR/AD[.]Nekark[.]avuwq')
    [-] Scans: ('MAX', 'malware (ai score=81)')
    [-] Scans: ('Antiy-AVL', 'Trojan/Generic[.]ASMalwS.34E4DB1')
    [-] Scans: ('Kingsoft', 'Win32[.]Troj[.]Generic_a.a.(kcloud)')
    [-] Scans: ('Gridinsoft', 'Ransom.Win32[.]Sabsik[.]oa')
    [-] Scans: ('Microsoft', 'Trojan:Win32/Emotet[.]PAM!MTB')
    [-] Scans: ('Cynet', 'Malicious (score: 100)')
    [-] Scans: ('AhnLab-V3', 'Trojan/Win[.]Emotet.R456215')
    [-] Scans: ('VBA32', 'TrojanBanker[.]Emotet')
    [-] Scans: ('ALYac', 'Trojan[.]Agent[.]Emotet')
    [-] Scans: ('Malwarebytes', 'Trojan[.]Crypt')
    [-] Scans: ('Ikarus', 'Trojan[.]Win32[.]Crypt')
    [-] Scans: ('Rising', 'Trojan[.]Kryptik!1.DAEF (CLASSIC)')
    [-] Scans: ('Yandex', 'Trojan[.]PWS[.]Emotet!kI3B40T2sck')
    [-] Scans: ('SentinelOne', 'Static AI - Suspicious PE')
    [-] Scans: ('MaxSecure', 'Trojan[.]Malware.133255221[.]susgen')
    [-] Scans: ('Fortinet', 'W32/Mikey.D205!tr')
    [-] Scans: ('AVG', 'Win32:CrypterX-gen [Trj]')
    [-] Scans: ('Panda', 'Trj/GdSda.A')
[!] Error from Cymru MHR: HTTPSConnectionPool(host='hash.cymru.com', port=443): Max retries exceeded with url: /cgi-bin/bulkmhr.cgi (Caused by NewConnectionError(': Failed to establish a new connection: [Errno -2] Name or service not known'))
[+] MetaDefender File Report Results
    [-] Date submitted: 2021-12-06T05:35:38.444Z
    [-] Detected engines: 12
    [-] Total engines: 34
    [-] Scans: ('Ahnlab', 'Trojan/Win[.]Emotet')
    [-] Scans: ('Avira', 'TR/AD[.]Nekark[.]avuwq')
    [-] Scans: ('BitDefender', 'Trojan[.]GenericKD.47553818')
    [-] Scans: ('ClamAV', 'Win[.]Malware[.]Generic-9909860-0')
    [-] Scans: ('Cyren', 'W32/Emotet[.]EDV[.]gen!Eldorado')
    [-] Scans: ('ESET', 'a variant of Win32/Kryptik[.]HNNQ trojan')
    [-] Scans: ('Emsisoft', 'Trojan[.]GenericKD.47553818 (B)')
    [-] Scans: ('Huorong', 'Trojan/Emotet[.]ki')
    [-] Scans: ('Ikarus', 'Trojan[.]Win32[.]Crypt')
    [-] Scans: ('Jiangmin', 'Unavailable (production)')
    [-] Scans: ('K7', 'Trojan ( 0058b4901 )')
    [-] Scans: ('Kaspersky', 'Trojan-Banker.Win32[.]Emotet[.]ghji')
    [-] Scans: ('Xvirus Personal Guard', 'Hacktool[.]Crypter.40')
********************************************************************************
* Information for f1f0d756f2a033f3c0e3ba93e9d7700e
* Observable type: hash (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with --list-sites

[-] No Malc0de Results
[+] VirusTotal File Report Results
    [-] Date submitted: 2021-12-10 16:28:17
    [-] Detected engines: 29
    [-] Total engines: 59
    [-] Scans: ('Lionic', 'Trojan[.]MSOffice[.]Emotet.4!c')
    [-] Scans: ('ClamAV', 'Xls[.]Downloader[.]EmotetExcel122100-9913103-0')
    [-] Scans: ('McAfee', 'Downloader-FCHG!F4546CFAAF78')
    [-] Scans: ('K7AntiVirus', 'Trojan ( 0058b5021 )')
    [-] Scans: ('BitDefender', 'Trojan[.]GenericKD.38187285')
    [-] Scans: ('K7GW', 'Trojan ( 0058b5021 )')
    [-] Scans: ('Arcabit', 'Trojan[.]Generic.D246B115')
    [-] Scans: ('Cyren', 'XML/Agent[.]KD')
    [-] Scans: ('ESET-NOD32', 'DOC/TrojanDownloader[.]Agent[.]DOH')
    [-] Scans: ('Avast', 'VBS:Malware-gen')
    [-] Scans: ('Cynet', 'Malicious (score: 99)')
    [-] Scans: ('Kaspersky', 'HEUR:Trojan.MSOffice[.]Emotet[.]gen')
    [-] Scans: ('Alibaba', 'TrojanDownloader:Office97/Emotet.3e3309f5')
    [-] Scans: ('MicroWorld-eScan', 'Trojan[.]GenericKD.38187285')
    [-] Scans: ('Tencent', 'Trojan[.]MsOffice[.]XmlMacroSheet.11017772')
    [-] Scans: ('Ad-Aware', 'Trojan[.]GenericKD.38187285')
    [-] Scans: ('Emsisoft', 'Trojan[.]GenericKD.38187285 (B)')
    [-] Scans: ('DrWeb', 'W97M[.]DownLoader.5470')
    [-] Scans: ('McAfee-GW-Edition', 'Artemis!Trojan')
    [-] Scans: ('FireEye', 'Trojan[.]GenericKD.38187285')
    [-] Scans: ('Ikarus', 'Trojan-Downloader[.]XLM[.]Agent')
    [-] Scans: ('GData', 'XML.Trojan[.]Agent[.]AOBTAI')
    [-] Scans: ('Avira', 'W2000M/YAV[.]Minerva[.]eltuf')
    [-] Scans: ('MAX', 'malware (ai score=85)')
    [-] Scans: ('Microsoft', 'TrojanDownloader:O97M/Emotet!MTB')
    [-] Scans: ('Zoner', 'Probably Heur.W97ShellN')
    [-] Scans: ('Rising', 'Downloader[.]Agent/XLM!1.DADA (CLASSIC)')
    [-] Scans: ('Fortinet', 'XML/Agent[.]AA!tr[.]dldr')
    [-] Scans: ('AVG', 'VBS:Malware-gen')
[!] Error from ThreatExpert: HTTPConnectionPool(host='www.threatexpert.com', port=80): Max retries exceeded with url: /report.aspx?md5=f1f0d756f2a033f3c0e3ba93e9d7700e (Caused by NewConnectionError(': Failed to establish a new connection: [Errno -2] Name or service not known'))
[-] No VxVault Results
[!] Error from Cymru MHR: HTTPSConnectionPool(host='hash.cymru.com', port=443): Max retries exceeded with url: /cgi-bin/bulkmhr.cgi (Caused by NewConnectionError(': Failed to establish a new connection: [Errno -2] Name or service not known'))
[+] MetaDefender File Report Results
    [-] Date submitted: 2021-12-06T02:05:47.332Z
    [-] Detected engines: 4
    [-] Total engines: 34
    [-] Scans: ('Avira', 'W2000M/YAV[.]Minerva[.]eltuf')
    [-] Scans: ('BitDefender', 'Trojan[.]GenericKD.38187285')
    [-] Scans: ('Emsisoft', 'Trojan[.]GenericKD.38187285 (B)')
    [-] Scans: ('Ikarus', 'Trojan-Downloader[.]DOC[.]Agent')
    [-] Scans: ('RocketCyber', '')
    [-] Scans: ('Webroot SMD', '')
********************************************************************************
* Information for 1ae741607fa5ce9601ffdd9bd3aba50f1c9373e2
* Observable type: hash.sha1 (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with --list-sites

[+] VirusTotal File Report Results
    [-] Date submitted: 2021-12-10 16:28:17
    [-] Detected engines: 29
    [-] Total engines: 59
    [-] Scans: ('Lionic', 'Trojan[.]MSOffice[.]Emotet.4!c')
    [-] Scans: ('ClamAV', 'Xls[.]Downloader[.]EmotetExcel122100-9913103-0')
    [-] Scans: ('McAfee', 'Downloader-FCHG!F4546CFAAF78')
    [-] Scans: ('K7AntiVirus', 'Trojan ( 0058b5021 )')
    [-] Scans: ('BitDefender', 'Trojan[.]GenericKD.38187285')
    [-] Scans: ('K7GW', 'Trojan ( 0058b5021 )')
    [-] Scans: ('Arcabit', 'Trojan[.]Generic.D246B115')
    [-] Scans: ('Cyren', 'XML/Agent[.]KD')
    [-] Scans: ('ESET-NOD32', 'DOC/TrojanDownloader[.]Agent[.]DOH')
    [-] Scans: ('Avast', 'VBS:Malware-gen')
    [-] Scans: ('Cynet', 'Malicious (score: 99)')
    [-] Scans: ('Kaspersky', 'HEUR:Trojan.MSOffice[.]Emotet[.]gen')
    [-] Scans: ('Alibaba', 'TrojanDownloader:Office97/Emotet.3e3309f5')
    [-] Scans: ('MicroWorld-eScan', 'Trojan[.]GenericKD.38187285')
    [-] Scans: ('Tencent', 'Trojan[.]MsOffice[.]XmlMacroSheet.11017772')
    [-] Scans: ('Ad-Aware', 'Trojan[.]GenericKD.38187285')
    [-] Scans: ('Emsisoft', 'Trojan[.]GenericKD.38187285 (B)')
    [-] Scans: ('DrWeb', 'W97M[.]DownLoader.5470')
    [-] Scans: ('McAfee-GW-Edition', 'Artemis!Trojan')
    [-] Scans: ('FireEye', 'Trojan[.]GenericKD.38187285')
    [-] Scans: ('Ikarus', 'Trojan-Downloader[.]XLM[.]Agent')
    [-] Scans: ('GData', 'XML.Trojan[.]Agent[.]AOBTAI')
    [-] Scans: ('Avira', 'W2000M/YAV[.]Minerva[.]eltuf')
    [-] Scans: ('MAX', 'malware (ai score=85)')
    [-] Scans: ('Microsoft', 'TrojanDownloader:O97M/Emotet!MTB')
    [-] Scans: ('Zoner', 'Probably Heur.W97ShellN')
    [-] Scans: ('Rising', 'Downloader[.]Agent/XLM!1.DADA (CLASSIC)')
    [-] Scans: ('Fortinet', 'XML/Agent[.]AA!tr[.]dldr')
    [-] Scans: ('AVG', 'VBS:Malware-gen')
[!] Error from Cymru MHR: HTTPSConnectionPool(host='hash.cymru.com', port=443): Max retries exceeded with url: /cgi-bin/bulkmhr.cgi (Caused by NewConnectionError(': Failed to establish a new connection: [Errno -2] Name or service not known'))
[+] MetaDefender File Report Results
    [-] Date submitted: 2021-12-06T02:05:47.332Z
    [-] Detected engines: 4
    [-] Total engines: 34
    [-] Scans: ('Avira', 'W2000M/YAV[.]Minerva[.]eltuf')
    [-] Scans: ('BitDefender', 'Trojan[.]GenericKD.38187285')
    [-] Scans: ('Emsisoft', 'Trojan[.]GenericKD.38187285 (B)')
    [-] Scans: ('Ikarus', 'Trojan-Downloader[.]DOC[.]Agent')
    [-] Scans: ('RocketCyber', '')
    [-] Scans: ('Webroot SMD', '')
********************************************************************************
* Information for 8827e861b25e27768d02dd12c1aa855b
* Observable type: hash (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with --list-sites

[-] No Malc0de Results
[!] Error from VirusTotal File Report: Expecting value: line 1 column 1 (char 0)
[!] Error from ThreatExpert: HTTPConnectionPool(host='www.threatexpert.com', port=80): Max retries exceeded with url: /report.aspx?md5=8827e861b25e27768d02dd12c1aa855b (Caused by NewConnectionError(': Failed to establish a new connection: [Errno -2] Name or service not known'))
[-] No VxVault Results
[!] Error from Cymru MHR: HTTPSConnectionPool(host='hash.cymru.com', port=443): Max retries exceeded with url: /cgi-bin/bulkmhr.cgi (Caused by NewConnectionError(': Failed to establish a new connection: [Errno -2] Name or service not known'))
[+] MetaDefender File Report Results
    [-] Date submitted: 2021-12-06T02:07:52.446Z
    [-] Detected engines: 4
    [-] Total engines: 34
    [-] Scans: ('Avira', 'W2000M/YAV[.]Minerva[.]ivjtn')
    [-] Scans: ('BitDefender', 'Trojan[.]GenericKD.47562197')
    [-] Scans: ('Emsisoft', 'Trojan[.]GenericKD.47562197 (B)')
    [-] Scans: ('Ikarus', 'Trojan-Downloader[.]DOC[.]Agent')
    [-] Scans: ('RocketCyber', '')
    [-] Scans: ('Webroot SMD', '')
********************************************************************************
* Information for 86659503579263c2fe9b292a3ccae2ff3a51ad5f
* Observable type: hash.sha1 (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with --list-sites

[+] VirusTotal File Report Results
    [-] Date submitted: 2021-12-10 16:32:35
    [-] Detected engines: 29
    [-] Total engines: 59
    [-] Scans: ('Lionic', 'Trojan[.]MSOffice[.]Emotet.4!c')
    [-] Scans: ('ClamAV', 'Xls[.]Downloader[.]EmotetExcel122100-9913103-0')
    [-] Scans: ('K7AntiVirus', 'Trojan ( 0058b5021 )')
    [-] Scans: ('BitDefender', 'Trojan[.]GenericKD.47562197')
    [-] Scans: ('K7GW', 'Trojan ( 0058b5021 )')
    [-] Scans: ('Arcabit', 'Trojan[.]Generic.D2D5BDD5')
    [-] Scans: ('Cyren', 'XML/Agent[.]KD')
    [-] Scans: ('ESET-NOD32', 'DOC/TrojanDownloader[.]Agent[.]DOH')
    [-] Scans: ('Avast', 'VBS:Malware-gen')
    [-] Scans: ('Cynet', 'Malicious (score: 99)')
    [-] Scans: ('Kaspersky', 'HEUR:Trojan.MSOffice[.]Emotet[.]gen')
    [-] Scans: ('Alibaba', 'Trojan:Office/Emotet[.]aeb515b2')
    [-] Scans: ('MicroWorld-eScan', 'Trojan[.]GenericKD.47562197')
    [-] Scans: ('Tencent', 'Trojan[.]MsOffice[.]XmlMacroSheet.11017772')
    [-] Scans: ('Ad-Aware', 'Trojan[.]GenericKD.47562197')
    [-] Scans: ('Emsisoft', 'Trojan[.]GenericKD.47562197 (B)')
    [-] Scans: ('DrWeb', 'W97M[.]DownLoader.5470')
    [-] Scans: ('McAfee-GW-Edition', 'Artemis!Trojan')
    [-] Scans: ('FireEye', 'Trojan[.]GenericKD.47562197')
    [-] Scans: ('Ikarus', 'Trojan-Downloader[.]XLM[.]Agent')
    [-] Scans: ('GData', 'XML.Trojan[.]Agent[.]AOBTAI')
    [-] Scans: ('Avira', 'W2000M/YAV[.]Minerva[.]ivjtn')
    [-] Scans: ('MAX', 'malware (ai score=83)')
    [-] Scans: ('Microsoft', 'TrojanDownloader:O97M/Emotet[.]ASQT!MTB')
    [-] Scans: ('McAfee', 'Downloader-FCHG!F4546CFAAF78')
    [-] Scans: ('Zoner', 'Probably Heur.W97ShellN')
    [-] Scans: ('Rising', 'Downloader[.]Agent/XLM!1.DADA (CLASSIC)')
    [-] Scans: ('Fortinet', 'XML/Agent[.]AA!tr[.]dldr')
    [-] Scans: ('AVG', 'VBS:Malware-gen')
[!] Error from Cymru MHR: HTTPSConnectionPool(host='hash.cymru.com', port=443): Max retries exceeded with url: /cgi-bin/bulkmhr.cgi (Caused by NewConnectionError(': Failed to establish a new connection: [Errno -2] Name or service not known'))
[+] MetaDefender File Report Results
    [-] Date submitted: 2021-12-06T02:07:52.446Z
    [-] Detected engines: 4
    [-] Total engines: 34
    [-] Scans: ('Avira', 'W2000M/YAV[.]Minerva[.]ivjtn')
    [-] Scans: ('BitDefender', 'Trojan[.]GenericKD.47562197')
    [-] Scans: ('Emsisoft', 'Trojan[.]GenericKD.47562197 (B)')
    [-] Scans: ('Ikarus', 'Trojan-Downloader[.]DOC[.]Agent')
    [-] Scans: ('RocketCyber', '')
    [-] Scans: ('Webroot SMD', '')

For the last part of this exercise, I needed to find what the name of the user was and the hostname as well. This was pretty straight forward in Brim since you can look at both “NTLM” and “Kerberos” at the same time and see the results.

Now for the last part – what the heck is all the SMTP messages? Using the following query I was able to make short work of this.

_path=="smtp" | mailfrom!=null

Looks like I was correct about the malspam aspect of this. The other interesting bit to this is when I dug into one of the rows and opened the log detail up. In the following example, I saw that there was the connection, but then a cascading view of three files, and a SMTP communication. This stems from the same connection being used to send several emails that range from two attachments up to four different attachments.

So there we have it – a quick rundown of Brim and the different queries that I used to work on this exercise. As usual, please let me know if I have missed anything. Thanks for stopping by.

Leave a Reply

Your email address will not be published. Required fields are marked *