2022-04-22 Emotet Malspam Using Excel 4 Macro

Summary
========

Looking at the mail filters yesterday to see if there was anything interesting while having “some” downtime during the late part of my shift, I was able to come across a sample of some Emotet malspam leveraging the usual hacked/injected email thread. The sample was an encrypted zip file that had an Excel spreadsheet using the Excel 4 macro once the macro was enabled. All the files and artifacts from this can be found over at my Github repo located here.

Emotet malspam

Analysis
========

Host
———-

This infection chain is very much like the one that I detailed in my last write up which you can find here. Once the attachment is downloaded and opened, the spreadsheet presents itself like any other maldoc asking for the macro to be run/executed. Using tools like “oledump.py” and “olavba.py” or even something as simple as strings can give an analyst some basic insight into what is going on with the macro. I started off with oledump.py and used the following command:

oledump.py -p plugin_biff --pluginoptions "-x" "C:\Users\bob\Desktop\Form Dt 04.22.2022.xls"

which is a plugin from Didier Stevens and just for the Excel 4 macros. You can find the plugin and many others from him at his Github. There is also an awesome walk through of Excel 4 macros over at SANS ISC from Bojan here, and one that I did a while back which you can read here.

Using the command outputs the following:

PS C:\Users\bob > oledump.py -p plugin_biff --pluginoptions "-x" "C:\Users\bob\Desktop\Form Dt 04.22.2022.xls"
1: 4096 '\x05DocumentSummaryInformation'
2: 4096 '\x05SummaryInformation'
3: 61304 'Workbook'
Plugin: BIFF plugin
0085 13 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
0085 11 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - Vv1
0085 11 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - Vv2
0085 11 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - Vv3
0085 16 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden - FRHJDJDJ
"0018 29 LABEL : Cell Value, String Constant - _xlfn.ARABIC hidden len=2 ptgErr *INCOMPLETE FORMULA PARSING* Remaining, unparsed expression: b'\\x1d'"
0018 28 LABEL : Cell Value, String Constant - HRHRE1 len=7 ptgRef3d Vv1!R12C6
0018 28 LABEL : Cell Value, String Constant - HRHRE2 len=7 ptgRef3d Vv1!R14C6
0018 28 LABEL : Cell Value, String Constant - HRHRE3 len=7 ptgRef3d Vv1!R16C6
0018 28 LABEL : Cell Value, String Constant - HRHRE4 len=7 ptgRef3d Vv1!R18C6
0018 28 LABEL : Cell Value, String Constant - HRHRE5 len=7 ptgRef3d Vv1!R20C6
0018 28 LABEL : Cell Value, String Constant - HRHRE6 len=7 ptgRef3d Vv1!R22C6
0018 28 LABEL : Cell Value, String Constant - HRHRE7 len=7 ptgRef3d Vv1!R24C6
0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Vv1!R3C6
0006 32 FORMULA : Cell Formula - R2C5 len=10 ptgInt 113 ptgInt 2 ptgSub ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 32 FORMULA : Cell Formula - R2C7 len=10 ptgInt 111 ptgInt 6 ptgSub ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 32 FORMULA : Cell Formula - R2C12 len=10 ptgInt 71 ptgInt 6 ptgSub ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 32 FORMULA : Cell Formula - R3C3 len=10 ptgInt 111 ptgInt 3 ptgAdd ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 32 FORMULA : Cell Formula - R3C9 len=10 ptgInt 87 ptgInt 4 ptgSub ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 32 FORMULA : Cell Formula - R3C16 len=10 ptgInt 90 ptgInt 2 ptgAdd ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 32 FORMULA : Cell Formula - R4C6 len=10 ptgInt 100 ptgInt 18 ptgSub ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 32 FORMULA : Cell Formula - R4C8 len=10 ptgInt 110 ptgInt 9 ptgSub ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 32 FORMULA : Cell Formula - R4C14 len=10 ptgInt 89 ptgInt 1 ptgSub ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 32 FORMULA : Cell Formula - R5C2 len=10 ptgInt 115 ptgInt 2 ptgAdd ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 32 FORMULA : Cell Formula - R5C16 len=10 ptgInt 44 ptgInt 2 ptgAdd ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 32 FORMULA : Cell Formula - R6C5 len=10 ptgInt 90 ptgInt 6 ptgSub ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 32 FORMULA : Cell Formula - R6C10 len=10 ptgInt 77 ptgInt 3 ptgSub ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 32 FORMULA : Cell Formula - R7C4 len=10 ptgInt 107 ptgInt 3 ptgAdd ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 32 FORMULA : Cell Formula - R7C13 len=10 ptgInt 117 ptgInt 2 ptgSub ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 32 FORMULA : Cell Formula - R7C16 len=10 ptgInt 41 ptgInt 3 ptgAdd ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 32 FORMULA : Cell Formula - R9C3 len=10 ptgInt 110 ptgInt 2 ptgSub ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 32 FORMULA : Cell Formula - R9C8 len=10 ptgInt 70 ptgInt 3 ptgSub ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 32 FORMULA : Cell Formula - R9C11 len=10 ptgInt 55 ptgInt 7 ptgSub ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 32 FORMULA : Cell Formula - R9C16 len=10 ptgInt 55 ptgInt 5 ptgAdd ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 32 FORMULA : Cell Formula - R10C6 len=10 ptgInt 123 ptgInt 4 ptgSub ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 32 FORMULA : Cell Formula - R11C5 len=10 ptgInt 80 ptgInt 5 ptgAdd ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 32 FORMULA : Cell Formula - R11C10 len=10 ptgInt 80 ptgInt 7 ptgSub ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 32 FORMULA : Cell Formula - R11C12 len=10 ptgInt 100 ptgInt 1 ptgSub ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 32 FORMULA : Cell Formula - R11C16 len=10 ptgInt 35 ptgInt 5 ptgAdd ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 32 FORMULA : Cell Formula - R12C1 len=10 ptgInt 107 ptgInt 2 ptgAdd ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 32 FORMULA : Cell Formula - R13C4 len=10 ptgInt 72 ptgInt 4 ptgSub ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 32 FORMULA : Cell Formula - R13C8 len=10 ptgInt 68 ptgInt 1 ptgAdd ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 32 FORMULA : Cell Formula - R13C16 len=10 ptgInt 36 ptgInt 5 ptgAdd ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 32 FORMULA : Cell Formula - R14C7 len=10 ptgInt 124 ptgInt 4 ptgSub ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 32 FORMULA : Cell Formula - R14C11 len=10 ptgInt 70 ptgInt 4 ptgSub ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 32 FORMULA : Cell Formula - R15C2 len=10 ptgInt 80 ptgInt 4 ptgSub ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 32 FORMULA : Cell Formula - R15C6 len=10 ptgInt 105 ptgInt 5 ptgSub ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 32 FORMULA : Cell Formula - R15C16 len=10 ptgInt 31 ptgInt 3 ptgAdd ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 32 FORMULA : Cell Formula - R17C4 len=10 ptgInt 102 ptgInt 5 ptgSub ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 32 FORMULA : Cell Formula - R17C9 len=10 ptgInt 78 ptgInt 1 ptgAdd ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 32 FORMULA : Cell Formula - R17C16 len=10 ptgInt 40 ptgInt 2 ptgSub ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 32 FORMULA : Cell Formula - R18C2 len=10 ptgInt 65 ptgInt 5 ptgAdd ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 28 FORMULA : Cell Formula - R19C16 len=6 ptgInt 32 ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 32 FORMULA : Cell Formula - R20C16 len=10 ptgInt 52 ptgInt 6 ptgAdd ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 32 FORMULA : Cell Formula - R22C16 len=10 ptgInt 66 ptgInt 5 ptgSub ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 32 FORMULA : Cell Formula - R23C11 len=10 ptgInt 80 ptgInt 2 ptgSub ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 32 FORMULA : Cell Formula - R24C7 len=10 ptgInt 84 ptgInt 2 ptgSub ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 28 FORMULA : Cell Formula - R26C9 len=6 ptgInt 84 ptgFuncV CHAR (0x006f)
0207 4 STRING : String Value of a Formula -
0006 37 FORMULA : Cell Formula - R32C9 len=15 ptgName 0x00000001 ptgStr "CXI" ptgFuncVarV args 2 func User Defined Function (0x00ff)
0006 39 FORMULA : Cell Formula - R33C2 len=17 ptgName 0x00000001 ptgStr "LXVII" ptgFuncVarV args 2 func User Defined Function (0x00ff)
0006 39 FORMULA : Cell Formula - R33C15 len=17 ptgName 0x00000001 ptgStr "LXVII" ptgFuncVarV args 2 func User Defined Function (0x00ff)
0006 37 FORMULA : Cell Formula - R35C5 len=15 ptgName 0x00000001 ptgStr "LXI" ptgFuncVarV args 2 func User Defined Function (0x00ff)
0006 38 FORMULA : Cell Formula - R36C17 len=16 ptgName 0x00000001 ptgStr "CXIV" ptgFuncVarV args 2 func User Defined Function (0x00ff)
0006 36 FORMULA : Cell Formula - R37C11 len=14 ptgName 0x00000001 ptgStr "CI" ptgFuncVarV args 2 func User Defined Function (0x00ff)
0006 56 FORMULA : Cell Formula - R3C2 len=34 ptgRef3dV Sheet!R11C16 ptgRef3dV Sheet!R15C16 ptgConcat ptgRef3dV Sheet!R5C2 ptgConcat ptgRef3dV Sheet!R3C3 ptgConcat ptgFuncV T (0x0082)
'0207 7 STRING : String Value of a Formula - b\'("ur\''
0006 112 FORMULA : Cell Formula - R7C4 len=90 ptgRef3dV Sheet!R9C3 ptgRef3dV Sheet!R12C1 ptgConcat ptgRef3dV Sheet!R2C5 ptgConcat ptgRef3dV Sheet!R7C4 ptgConcat ptgRef3dV Sheet!R15C16 ptgConcat ptgRef3dV Sheet!R7C16 ptgConcat ptgRef3dV Sheet!R15C16 ptgConcat ptgRef3dV Sheet!R11C5 ptgConcat ptgRef3dV Sheet!R4C6 ptgConcat ptgRef3dV Sheet!R15C2 ptgConcat ptgRef3dV Sheet!R13C4 ptgConcat ptgFuncV T (0x0082)
'0207 14 STRING : String Value of a Formula - b\'lmon","URLD\''
0006 112 FORMULA : Cell Formula - R9C12 len=90 ptgRef3dV Sheet!R2C12 ptgRef3dV Sheet!R15C16 ptgConcat ptgRef3dV Sheet!R7C16 ptgConcat ptgRef3dV Sheet!R15C16 ptgConcat ptgRef3dV Sheet!R6C10 ptgConcat ptgRef3dV Sheet!R6C10 ptgConcat ptgRef3dV Sheet!R9C8 ptgConcat ptgRef3dV Sheet!R9C8 ptgConcat ptgRef3dV Sheet!R14C11 ptgConcat ptgRef3dV Sheet!R14C11 ptgConcat ptgRef3dV Sheet!R15C16 ptgConcat ptgFuncV T (0x0082)
'0207 14 STRING : String Value of a Formula - b\'A","JJCCBB"\''
0006 120 FORMULA : Cell Formula - R11C7 len=98 ptgRef3dV Sheet!R2C5 ptgRef3dV Sheet!R10C6 ptgConcat ptgRef3dV Sheet!R7C4 ptgConcat ptgRef3dV Sheet!R9C3 ptgConcat ptgRef3dV Sheet!R2C5 ptgConcat ptgRef3dV Sheet!R17C4 ptgConcat ptgRef3dV Sheet!R15C6 ptgConcat ptgRef3dV Sheet!R6C5 ptgConcat ptgRef3dV Sheet!R2C5 ptgConcat ptgRef3dV Sheet!R18C2 ptgConcat ptgRef3dV Sheet!R2C7 ptgConcat ptgRef3dV Sheet!R9C3 ptgConcat ptgFuncV T (0x0082)
"0207 15 STRING : String Value of a Formula - b'ownloadToFil'"
0006 128 FORMULA : Cell Formula - R3C10 len=106 ptgRef3dV Sheet!R19C16 ptgRef3dV Sheet!R5C16 ptgConcat ptgRef3dV Sheet!R5C16 ptgConcat ptgRef3dV Sheet!R3C16 ptgConcat ptgRef3dV Sheet!R14C7 ptgConcat ptgRef3dV Sheet!R15C6 ptgConcat ptgRef3dV Sheet!R10C6 ptgConcat ptgRef3dV Sheet!R7C4 ptgConcat ptgRef3dV Sheet!R2C5 ptgConcat ptgRef3dV Sheet!R5C16 ptgConcat ptgRef3dV Sheet!R2C5 ptgConcat ptgRef3dV Sheet!R11C12 ptgConcat ptgRef3dV Sheet!R14C7 ptgConcat ptgFuncV T (0x0082)
"0207 16 STRING : String Value of a Formula - b' ..\\\\xdwno.ocx'"
0006 56 FORMULA : Cell Formula - R5C16 len=34 ptgRef3dV Sheet!R9C16 ptgRef3dV Sheet!R9C11 ptgConcat ptgRef3dV Sheet!R7C16 ptgConcat ptgRef3dV Sheet!R19C16 ptgConcat ptgFuncV T (0x0082)
"0207 7 STRING : String Value of a Formula - b'<0, '"
0006 120 FORMULA : Cell Formula - R9C4 len=98 ptgRef3dV Sheet!R5C16 ptgRef3dV Sheet!R5C16 ptgConcat ptgRef3dV Sheet!R3C16 ptgConcat ptgRef3dV Sheet!R14C7 ptgConcat ptgRef3dV Sheet!R15C6 ptgConcat ptgRef3dV Sheet!R10C6 ptgConcat ptgRef3dV Sheet!R7C4 ptgConcat ptgRef3dV Sheet!R2C5 ptgConcat ptgRef3dV Sheet!R5C16 ptgConcat ptgRef3dV Sheet!R2C5 ptgConcat ptgRef3dV Sheet!R11C12 ptgConcat ptgRef3dV Sheet!R14C7 ptgConcat ptgFuncV T (0x0082)
"0207 15 STRING : String Value of a Formula - b'..\\\\xdwno.ocx'"
0006 48 FORMULA : Cell Formula - R13C18 len=26 ptgRef3dV Sheet!R10C14 ptgRef3dV Sheet!R13C14 ptgConcat ptgRef3dV Vv2!R13C15 ptgConcat ptgFuncV T (0x0082)
"0207 9 STRING : String Value of a Formula - b'32.exe'"
0006 56 FORMULA : Cell Formula - R14C14 len=34 ptgRef3dV Sheet!R4C8 ptgRef3dV Sheet!R22C4 ptgConcat ptgRef3dV Sheet!R7C13 ptgConcat ptgRef3dV Sheet!R17C7 ptgConcat ptgFuncV T (0x0082)
"0207 7 STRING : String Value of a Formula - b'egsv'"
0006 73 FORMULA : Cell Formula - R15C4 len=51 ptgRef3dV Sheet!R7C16 ptgRef3dV Sheet!R9C11 ptgConcat ptgRef3dV Sheet!R7C16 ptgConcat ptgRef3dV Sheet!R15C16 ptgConcat ptgRef3dV Sheet!R19C6 ptgConcat ptgNum FLOAT 3243413.000000 ptgFuncV TEXT (0x0030)
'0207 8 STRING : String Value of a Formula - b\',0,"h\''
0006 72 FORMULA : Cell Formula - R16C10 len=50 ptgRef3dV Sheet!R15C16 ptgRef3dV Sheet!R7C16 ptgConcat ptgRef3dV Sheet!R9C11 ptgConcat ptgRef3dV Sheet!R7C16 ptgConcat ptgRef3dV Sheet!R9C11 ptgConcat ptgRef3dV Sheet!R13C16 ptgConcat ptgFuncV T (0x0082)
'0207 9 STRING : String Value of a Formula - b\'",0,0)\''
0006 1370 FORMULA : Cell Formula - R10C6 len=1348 ptgRef3dV Sheet!R22C16 ptgRef3dV Sheet!R9C8 ptgConcat ptgRef3dV Sheet!R2C12 ptgConcat ptgRef3dV Sheet!R15C2 ptgConcat ptgRef3dV Sheet!R15C2 ptgConcat ptgRef3dV Vv2!R3C2 ptgConcat ptgRef3dV Vv2!R7C4 ptgConcat ptgRef3dV Vv2!R11C7 ptgConcat ptgRef3dV Sheet!R4C8 ptgConcat ptgRef3dV Vv2!R9C12 ptgConcat ptgRef3dV Vv3!R15C4 ptgConcat ptgRef3dV Vv2!R17C4 ptgConcat ptgRef3dV Vv3!R9C4 ptgConcat ptgRef3dV Vv3!R16C10 ptgConcat ptgRef R12C6 ptgFuncVarV args 2 func FORMULA (0x8060) ptgRef3dV Sheet!R22C16 ptgRef3dV Sheet!R11C10 ptgConcat ptgRef3dV Sheet!R18C2 ptgConcat ptgRef3dV Sheet!R11C16 ptgConcat ptgStr "HRHRE1" ptgConcat ptgRef3dV Vv3!R5C16 ptgConcat ptgRef3dV Sheet!R9C8 ptgConcat ptgRef3dV Sheet!R2C12 ptgConcat ptgRef3dV Sheet!R15C2 ptgConcat ptgRef3dV Sheet!R15C2 ptgConcat ptgRef3dV Vv2!R3C2 ptgConcat ptgRef3dV Vv2!R7C4 ptgConcat ptgRef3dV Vv2!R11C7 ptgConcat ptgRef3dV Sheet!R4C8 ptgConcat ptgRef3dV Vv2!R9C12 ptgConcat ptgRef3dV Vv3!R15C4 ptgConcat ptgRef3dV Vv2!R19C5 ptgConcat ptgRef3dV Vv3!R9C4 ptgConcat ptgRef3dV Vv3!R16C10 ptgConcat ptgRef3dV Sheet!R13C16 ptgConcat ptgRef R14C6 ptgFuncVarV args 2 func FORMULA (0x8060) ptgEQ ptgRef3dV Sheet!R22C16 ptgRef3dV Sheet!R11C10 ptgConcat ptgRef3dV Sheet!R18C2 ptgConcat ptgRef3dV Sheet!R11C16 ptgConcat ptgStr "HRHRE2" ptgConcat ptgRef3dV Vv3!R5C16 ptgConcat ptgRef3dV Sheet!R9C8 ptgConcat ptgRef3dV Sheet!R2C12 ptgConcat ptgRef3dV Sheet!R15C2 ptgConcat ptgRef3dV Sheet!R15C2 ptgConcat ptgRef3dV Vv2!R3C2 ptgConcat ptgRef3dV Vv2!R7C4 ptgConcat ptgRef3dV Vv2!R11C7 ptgConcat ptgRef3dV Sheet!R4C8 ptgConcat ptgRef3dV Vv2!R9C12 ptgConcat ptgRef3dV Vv3!R15C4 ptgConcat ptgRef3dV Vv2!R17C6 ptgConcat ptgRef3dV Vv3!R9C4 ptgConcat ptgRef3dV Vv3!R16C10 ptgConcat ptgRef3dV Sheet!R13C16 ptgConcat ptgRef R16C6 ptgFuncVarV args 2 func FORMULA (0x8060) ptgEQ ptgRef3dV Sheet!R22C16 ptgRef3dV Sheet!R11C10 ptgConcat ptgRef3dV Sheet!R18C2 ptgConcat ptgRef3dV Sheet!R11C16 ptgConcat ptgStr "HRHRE3" ptgConcat ptgRef3dV Vv3!R5C16 ptgConcat ptgRef3dV Sheet!R9C8 ptgConcat ptgRef3dV Sheet!R2C12 ptgConcat ptgRef3dV Sheet!R15C2 ptgConcat ptgRef3dV Sheet!R15C2 ptgConcat ptgRef3dV Vv2!R3C2 ptgConcat ptgRef3dV Vv2!R7C4 ptgConcat ptgRef3dV Vv2!R11C7 ptgConcat ptgRef3dV Sheet!R4C8 ptgConcat ptgRef3dV Vv2!R9C12 ptgConcat ptgRef3dV Vv3!R15C4 ptgConcat ptgRef3dV Vv2!R19C7 ptgConcat ptgRef3dV Vv3!R9C4 ptgConcat ptgRef3dV Vv3!R16C10 ptgConcat ptgRef3dV Sheet!R13C16 ptgConcat ptgRef R18C6 ptgFuncVarV args 2 func FORMULA (0x8060) ptgEQ ptgRef3dV Sheet!R22C16 ptgRef3dV Sheet!R11C10 ptgConcat ptgRef3dV Sheet!R18C2 ptgConcat ptgRef3dV Sheet!R11C16 ptgConcat ptgStr "HRHRE4" ptgConcat ptgRef3dV Vv3!R5C16 ptgConcat ptgRef3dV Sheet!R9C8 ptgConcat ptgRef3dV Sheet!R2C12 ptgConcat ptgRef3dV Sheet!R15C2 ptgConcat ptgRef3dV Sheet!R15C2 ptgConcat ptgRef3dV Vv2!R3C2 ptgConcat ptgRef3dV Vv2!R7C4 ptgConcat ptgRef3dV Vv2!R11C7 ptgConcat ptgRef3dV Sheet!R4C8 ptgConcat ptgRef3dV Vv2!R9C12 ptgConcat ptgRef3dV Vv3!R15C4 ptgConcat ptgRef3dV Vv2!R17C8 ptgConcat ptgRef3dV Vv3!R9C4 ptgConcat ptgRef3dV Vv3!R16C10 ptgConcat ptgRef3dV Sheet!R13C16 ptgConcat ptgRef R20C6 ptgFuncVarV args 2 func FORMULA (0x8060) ptgEQ ptgRef3dV Sheet!R22C16 ptgRef3dV Sheet!R11C10 ptgConcat ptgRef3dV Sheet!R18C2 ptgConcat ptgRef3dV Sheet!R11C16 ptgConcat ptgStr "HRHRE5" ptgConcat ptgRef3dV Vv3!R5C16 ptgConcat ptgRef3dV Sheet!R9C8 ptgConcat ptgRef3dV Sheet!R2C12 ptgConcat ptgRef3dV Sheet!R15C2 ptgConcat ptgRef3dV Sheet!R15C2 ptgConcat ptgRef3dV Vv2!R3C2 ptgConcat ptgRef3dV Vv2!R7C4 ptgConcat ptgRef3dV Vv2!R11C7 ptgConcat ptgRef3dV Sheet!R4C8 ptgConcat ptgRef3dV Vv2!R9C12 ptgConcat ptgRef3dV Vv3!R15C4 ptgConcat ptgRef3dV Vv2!R19C9 ptgConcat ptgRef3dV Vv3!R9C4 ptgConcat ptgRef3dV Vv3!R16C10 ptgConcat ptgRef3dV Sheet!R13C16 ptgConcat ptgRef R22C6 ptgFuncVarV args 2 func FORMULA (0x8060) ptgEQ ptgRef3dV Sheet!R22C16 ptgRef3dV Sheet!R11C10 ptgConcat ptgRef3dV Sheet!R18C2 ptgConcat ptgRef3dV Sheet!R11C16 ptgConcat ptgStr "HRHRE6" ptgConcat ptgRef3dV Vv3!R5C16 ptgConcat ptgRef3dV Sheet!R9C8 ptgConcat ptgRef3dV Sheet!R15C2 ptgConcat ptgRef3dV Sheet!R17C9 ptgConcat ptgRef3dV Sheet!R3C9 ptgConcat ptgRef3dV Sheet!R13C8 ptgConcat ptgRef3dV Sheet!R11C16 ptgConcat ptgRef3dV Sheet!R9C11 ptgConcat ptgRef3dV Sheet!R13C16 ptgConcat ptgRef3dV Sheet!R7C16 ptgConcat ptgRef3dV Sheet!R13C16 ptgConcat ptgRef R26C6 ptgFuncVarV args 2 func FORMULA (0x8060) ptgEQ ptgRef3dV Sheet!R22C16 ptgRef3dV Sheet!R13C8 ptgConcat ptgRef3dV Sheet!R4C14 ptgConcat ptgRef3dV Sheet!R13C8 ptgConcat ptgRef3dV Sheet!R9C8 ptgConcat ptgRef3dV Sheet!R11C16 ptgConcat ptgRef3dV Sheet!R15C16 ptgConcat ptgRef3dV Sheet!R9C8 ptgConcat ptgRef3dV Sheet!R20C16 ptgConcat ptgRef3dV Vv3!R11C12 ptgConcat ptgRef3dV Vv3!R2C20 ptgConcat ptgRef3dV Sheet!R3C3 ptgConcat ptgRef3dV Vv3!R14C14 ptgConcat ptgRef3dV Sheet!R3C3 ptgConcat ptgRef3dV Vv3!R13C18 ptgConcat ptgRef3dV Vv3!R3C10 ptgConcat ptgRef3dV Sheet!R15C16 ptgConcat ptgRef3dV Sheet!R13C16 ptgConcat ptgRef R28C6 ptgFuncVarV args 2 func FORMULA (0x8060) ptgEQ ptgRef3dV Sheet!R22C16 ptgRef3dV Sheet!R24C7 ptgConcat ptgRef3dV Sheet!R13C8 ptgConcat ptgRef3dV Sheet!R26C9 ptgConcat ptgRef3dV Sheet!R11C5 ptgConcat ptgRef3dV Sheet!R4C6 ptgConcat ptgRef3dV Sheet!R23C11 ptgConcat ptgRef3dV Sheet!R11C16 ptgConcat ptgRef3dV Sheet!R13C16 ptgConcat ptgRef R32C6 ptgFuncVarV args 2 func FORMULA (0x8060) ptgEQ

The first part that stood out to me from this wall of text was this.

This told me that there were some hidden sheets in the spreadsheet.

The following told me that there were some functions, some methods to download files, and an equation to put things back together again to make the script.

Not really up for figuring this out, I decided to see what was hiding in the hidden sheets in the Excel spreadsheet. These pages gave me everything that I really needed to know (since this is Emotet I knew that there would be several URLs in the script) and the fact that it was going to leverage “regsvr32.exe” as well.

Now that there is a basic understanding of what is going to happen when the macro is executed, I went ahead and did just that in my VM. As expected some of the URLs that were found in the script were already dead, but there was one that responded and sent the malicious OCX across the wire.

Wireshark filter: !(ssdp || icmpv6) && (http.request || tls.handshake.extensions_server_name)

While enabling the macro I also had ProcMon running in the background to see what was going on via the host. First I looked for any files that were written to disk. This showed me that the Excel process created the “xdwno.ocx” file.

xdwno.ocx being created

Looking at the timestamps from ProcMon and Wireshark, along with the filesize being roughly the same size, helped verify things even more.

I also saw that this is written by the regsvr32.exe process too and used as part of the injection method.

Continuing towards the end of PID 5364’s execution, we can see it created a new process of itself – PID 4600.

Looking at this process (PID 4600), I saw that it was responsible for creating the folder where the malicious binary would end up (C:\Users\%username%\AppData\Local\Cifmjahgfzofgk).

I also saw that the initial downloaded file from above was renamed and copied over to the destination from above.

The only other events that I noticed with this PID was the fact that it did a lot of enumerating of objects via the registry (ie: looking at the details of different apps installed). I also saw where this process exited out and spun up the last of the child processes.

Shifting gears now to this new PID (PID 6472) I used Procmon and some filters on the following PIDs to see how this process ran along side of the other child processes. The PIDs I focused on where: 6472, 5152, 4692, 4672, 5992, 2108, 7908, and 3040.

Process Monitor’s Process Tree View

With PID 6472 now up and running, the first thing that I noticed with this process was the fact that it was looking at the following registry settings seeing if they were there and/or enabled (see below). I also found that it was also looking at other settings with relation to internet browsing and also looking at the installed certificates as well.

I also noticed where this process set the persistence mechanism via the “Run” registry key.

NOTE: I noticed that at the end of every run and the handoffs back and forth between this PID and it’s children, it would always come back and verify that this was set.

It then proceeded to create the *.tmp files and create the processes for systeminfo, ipconfig, and nltest which then proceeded to dump the output from the commands into those files which would then be exfilled off the system. The regsvr32.exe process (PID 6472) would then check the file via a “querystandardinformationfile” and “read” operation in Procmon (not pictured). Once that was done it would then promptly delete the file (pictured below).

Systeminfo process and TMP file creation and deletion

IPconfig process and TMP file creation and deletion

NLtest /dclist process and TMP file creation and deletion

After this, I did see where the regsvr32.exe process looked for “certutil.exe” and then copied the file over to the new location.

Certutil “knockoffs”

The only odd part is that I am not seeing anything about a file move or copy in Procmon. An example of this activity can be seen below. Please note that the other “knockoff” processes follow this similar pattern as well.

Observations from each of these files
————————————————-

gdwmry.exe

  • Saw hits for some different mail applications (Thunderbird, Eudora, Outlook, Google Talk/Messages, etc.).
  • There was a cfg file that was written to the %TEMP% folder by this process (path: C:\Users\%user%\AppData\Local\Temp\gdwmry.cfg).
  • Looked for some system info and folder info (computer name, different paths, etc.).

ppfy.exe

  • Like gdwmry.exe, there was a cfg file that was written to the %TEMP% folder by this process (path: C:\Users\%user%\AppData\Local\Temp\ppfy.cfg).
  • This one looked for things relating to web browsers (Edge, Chrome, Internet Explorer, and history/cache).

Note: The above two processes also used the option of “/scomma”. This is related to the use of Nirsoft’s utilities as talked about in the post from Fortinet above.

ocutspbnmdlt.exe

  • This looked at what seems to be some more system info related bits. The thing that stood out to me was the probing for Outlook mail and the mapi32.dll.

zcbptp.exe/gksq.exe

  • These looked to be related to the user environment and system related from what I could tell (not exactly 100% sure with these two).

Network
————-

From the network side, the macro has 5 different URLs that it leverages to pull the malicious binary down. Based on what I have seen from the above analysis, the file “xdwno.ocx” that is mentioned in all the URLs ends up being renamed and moved to a new location. So I can only imagine that the file is the same across of the URLs. Also, since the communication stream is encoded/encrypted there is no way of seeing what was moved between the host and the C2s. I checked to see if the URLs were posted to URLHaus and they have been – all pointing to Emotet related links.

Initial request and encrypted/encoded stream

Now there has always been a trick that I have used when playing with malware and that was to suspend a process in Process Explorer and then use a utility called strings2 which would pull a strings process dump and output it to a file for reviewing (command used: strings2 -pid 6472 > regsvr32_pid_6472.log). Now I have a fully executed and unpacked executable running in memory which will hopefully give me some more of the callback IP address. The trick I always use to search for things stemmed from details that I found either in Wireshark or on the host system or ProcMon logs.

Using CyberChef and the regex recipe for IPv4 addresses, and then de-dupping that, I saw that there are 142 possible hits. Most of these look to be related to something else and NOT IP addresses (ie: OID numbers) but only looking in the log file will truly tell us or not. After some more cleaning up of the IP addresses, I believe that the current list of 77 IPs is more true to form. Those IPs can be found below.

1.234.2.232, 1.234.21.73, 1.79.205.117, 101.50.0.91, 103.132.242.26, 103.43.46.182, 103.70.28.102, 103.75.201.2, 103.85.160.5, 104.168.154.79, 107.182.225.142, 110.232.117.186, 119.193.124.41, 129.232.188.93, 131.100.24.199, 131.100.24.231, 134.122.66.193, 134.195.212.50, 136.243.32.168, 138.197.147.101, 138.197.90.158, 138.201.142.73, 144.217.88.125, 146.59.226.45, 149.56.131.28, 151.106.112.196, 153.126.146.25, 158.69.222.101, 159.65.88.10, 160.16.142.56, 164.68.99.3, 167.172.253.162, 167.99.115.35, 172.104.251.154, 173.212.193.249, 176.104.106.96, 176.31.163.17, 183.111.227.137, 185.157.82.211, 185.4.135.165, 185.8.212.130, 187.84.80.182, 188.44.20.25, 189.126.111.200, 196.218.30.83, 197.242.150.244, 201.94.166.162, 203.114.109.124, 206.189.28.199, 209.126.98.206, 209.250.246.206, 209.97.163.214, 212.237.17.99, 212.24.98.99, 216.158.226.206, 217.79.180.211, 27.54.89.58, 38.201.142.73, 45.118.115.99, 45.176.232.124, 45.235.8.30, 46.55.222.11, 49.231.16.102, 5.9.116.246, 50.30.40.196, 51.210.176.76, 51.254.140.238, 51.79.205.117, 51.91.7.5, 51.91.76.89, 58.227.42.236, 62.75.251.60, 72.15.201.15, 82.165.152.127, 91.207.28.33, 93.104.209.56, 94.23.45.86

Using the above list of IPs within a Wireshark filter I checked to see if there may have been a C2 that I missed. Based on what I saw on the narrowed list, it looks like the only ones that were used were the following IPs: 138.201.142.73, 51.79.205.117, and 49.231.16.102 which all used port 8080 as well.

Which makes sense when you look at the “Conversations” section in Wireshark.

This was also verified to be the case using Brim.

Filter: event_type==”alert” | alerts := union(alert.category) by src_ip, dest_ip

_path==”conn” id.resp_p==8080 | cut id.orig_h, id.resp_p, id.resp_h | sort | uniq | sort id.resp_h

Some other notable finds in the string output can be found below.

https://138.201.142.73/
DefaultConnectionSettings
*htt
NT Authority\NetworkService
LRPC-18860bf76c52cb0581
LRPC-5c7b8b81435912f5ee
BOBSXPC_F89AB791
WinHTTP global session
eClassInfo
NT AUTHORITY\LOCAL SERVICE
Microsoft\Windows\INetCache
138.201.142.73

C:\W
138.197.147.101
134.195.212.50
104.168.154.79
149.56.131.28
129.232.188.93
212.24.98.99
119.193.124.41
45.118.115.99
188.44.20.25
0 N8
qN@U
VP61
J
+s
nistP256
3Wk1^
webcache_{031b98cf-4a69-4c31-ab42-fd9b3c199407}_S-1-5-21-71636547-298464360-2636078362-1001
HMEN
<"Y]
n30'
mnf~
gWk&c[?
*RIZ
51.254.140.238
167.99.115.35
164.68.99.3
167.172.253.162
151.106.112.196
134.122.66.193
203.114.109.124
58.227.42.236
185.4.135.165
206.189.28.199
201.94.166.162
146.59.226.45
212.237.17.99
103.132.242.26
187.84.80.182
176.104.106.96
185.157.82.211
107.182.225.142
173.212.193.249
45.176.232.124
50.30.40.196
51.91.7.5
101.50.0.91
209.126.98.206
216.158.226.206
131.100.24.231
1.234.21.73
185.8.212.130
82.165.152.127
103.75.201.2
45.235.8.30
Software\Policies\Microsoft\SystemCertificates\Disallowed
94.23.45.86
91.207.28.33
153.126.146.25
https://138.201.142.73:8080/CygvxqYWbfaWpFWYevWeXEfwbttoD
172.104.251.154
72.15.201.15
103.70.28.102
RE\Microso
DECD
ASYC
196.218.30.83
46.55.222.11
1.234.2.232
209.250.246.206
27.54.89.58
209.97.163.214
183.111.227.137
110.232.117.186
103.43.46.182
159.65.88.10
189.126.111.200
5.9.116.246
C:\Users\bob\AppData\Local\Microsoft\Windows\INetCache
158.69.222.101
f
r%u
LMEM`
51.91.76.89
197.242.150.244
160.16.142.56
QUUU
%bw+s
J:s)
^:u/}r
X2Ep0
3Th\
ij98
-b 4
_eNs}
G2L%r` 
C#;<]
VV9r
4R6f
LB2D
Jpou
t/mixed multipart/x-mixed-replace multipart/x-byteranges 
138.201.142.73:8080
Global Security
IT Department
LMEM
C:\Windows\system32
ObjectLength
C:\Users\bob\Documents\
C:\Users\bob\AppData\Local\Temp\gksq.exe
"C:\Users\bob\AppData\Local\Temp\\gksq.exe" "C:\Users\bob\AppData\Local\Temp\7CE.tmp"
Winsta0\Default
=::=::\
=C:=C:\Users\bob\Documents
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\bob\AppData\Roaming
ChocolateyInstall=C:\ProgramData\chocolatey
ChocolateyLastPathUpdate=132946321721968358
ChocolateyToolsLocation=C:\Tools
CommonProgramFiles=C:\Program Files\Common Files
CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
CommonProgramW6432=C:\Program Files\Common Files
COMPUTERNAME=BOBS-PC
ComSpec=C:\Windows\system32\cmd.exe
DriverData=C:\Windows\System32\Drivers\DriverData
FPS_BROWSER_APP_PROFILE_STRING=Internet Explorer
FPS_BROWSER_USER_PROFILE_STRING=Default
HOMEDRIVE=C:
HOMEPATH=\Users\bob
JAVA_HOME=C:\Program Files\OpenJDK\openjdk-11.0.14.1_1
LOCALAPPDATA=C:\Users\bob\AppData\Local
LOGONSERVER=\\BOBS-PC
NUMBER_OF_PROCESSORS=4
OneDrive=C:\Users\bob\OneDrive
OS=Windows_NT
Path=C:\Program Files\Microsoft Office 15\Root\Office15\;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Python37\Scripts\;C:\Python37\;
Vers
0000
https
9F
?
Enab
ncalrpc
erId
yPath
blank
about:blank
about
winh
Cache
Files\Microso
Office 15\Root\Office15\;C:\P
on37\Scr
\;C:
arter;C:\Windows\system32;C:\Win
sPow
Shell\
ft\W 
ps;C
r;;C
ogra
usca
ools
ewer
File
chocolat
\Program
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
\\?\C:\Windows\system32\TenantRestrictionsPlugin.dll
-deobfu
or-g
CKM
TenantRestrictions\Payload
dConnRouteHelper.dll
actor;C:\Tools\
ledu
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
SysA
Data
oft Office 15\root\Client
multipart/mixed
multipart/x-mixed-replace
multipart/x-byteranges
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
CHINE\So
regsvr32.exe
C:\Windows\system32\IPHLPAPI.DLL
Security=Impersonation Dynamic True
C:\Windows\system32\negoexts.DLL
C:\Windows\SYSTEM32\WINNSI.DLL
/CygvxqYWbfaWpFWYevWeXEfwbttoD
.dll
C:\Windows\system32\mswsock.dll
oot%\System32\winrnr.dll
"W 
C:\Windows\SYSTEM32\winhttp.dll
Microsoft Package Negotiator
NegoExtender Security Package
C:\Windows\system32\kerberos.DLL
C:\Windows\system32\tspkg.DLL
bfaW@p
C:\Windows\system32\msv1_0.DLL
C:\Windows\system32\pku2u.DLL
C:\Windows\system32\cloudAP.DLL
Digest Authentication for Windows
38.201.142.73
oot%\system32\napinsp.dll
C:\Windows\System32\fwpuclnt.dll
%;Ye
1a09
per]
Ldap
/TXoXaxO0
fZGGw
Disp
pace
Bluetooth Namespace
KERN
@%SystemRoot%\System32\mswsock.dll,-60100
%SystemRoot%\system32\mswsock.dll
@%SystemRoot%\System32\mswsock.dll,-60101
temRoot%\system32\mswsock.dll
@%SystemRoot%\System32\mswsock.dll,-60102
@%SystemRoot%\System32\mswsock.dll,-60200
@%SystemRoot%\System32\mswsock.dll,-60201
@%SystemRoot%\System32\mswsock.dll,-60202
AF_UNIX
@%SystemRoot%\System32\wshqos.dll,-100
@%SystemRoot%\System32\wshqos.dll,-101
@%SystemRoot%\System32\wshqos.dll,-102
@%SystemRoot%\System32\wshqos.dll,-103
Hyper-V RAW
MSAFD L2CAP [Bluetooth]
MSAFD RfComm [Bluetooth]
2\ms
%SystemRoot%\system32\napinsp.dll
mvvI
,{M%
SystemRoot%\system32\pnrpnsp.dll
%SystemRoot%\system32\wshbth.dll
:$Bf
%SystemRoot%\system32\NLAapi.dll
%SystemRoot%\System32\mswsock.dll
%SystemRoot%\System32\winrnr.dll
Cookie: CGn=RZce6velaVAavs9Vz6HD9gdvOY/yUNF169kqGHcQFGbqv3XzbjLbGoPwfyu027kc6V/OUiLXNGbCVV9r5fbTMNUUttVpDYzpDabBYFhpnl7n4R6feWmpLB2D+p8+AjtT2LhfJpouVMBzzqr/o3pNyKSN0rKOl4RNO/olIER6zITfyMLUb9Y6WOj0M7GUs9a6BYiJG3n3XoHoONjbOJtpNADth7x62WgVwULrpJOfN7XzSIC4
_7U@
=#D}U0
2pXV
pp#J
nasko ]
73:8
6a9e4b91-efd8-442a-a775-1a305f211a09
Microsoft SSL Protocol Provider
3lss
KSSM
LI2p
dB5
gn
7fY-
?9Z:S
H[ub
<OX
IRcK
London1
Global Security1
IT Department1
example.com0
220421100754Z
230421100754Z0w1
?&$e`
4rJrU
)8^%
!0Xi
g0;>j
0=:;
S0Q0
AY|d
:3dT1
a4)9
1ID#
G)iAa
LMEMh
Software\Policies\Microsoft\Internet Explorer\Main
Inet
AAAA
https://51.79.205.117:8080/ybpctyJzcgGEYDHzyDqgSCFZykaEYstpxThipCWAbjbeuHvCjVy
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
https://138.201.142.73:8080/yxhFFEKXSLVJiqrJqsKvQpPwKBMOfnqEcWJAYkUnnefMrvpJdtgH
https://138.201.142.73:8080/pWmeiofEVUpSKbjVMIJGgGGTnZPhlVHXSZEuKVZwyGyqDkkiFrNJU
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
https://138.201.142.73:8080/WFSfONUSzlPKMhGXfoxFmsKwDhqnCFeAvIAAJgJEZdL
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
C:\Windows\System32\cryptnet.dll
C:\Windows\System32\inetcomm.dll
\Windo
JiqrJqsKvQpPwKBMOfnqEcWJAYkUnnefMrvpJdtgH HTTP/1.1
Cookie: eTqLUPatfIeLbrR=RZce6velaVAavs9Vz6HD9gdvOY/yUNF169kqGHcQFGbqv3XzbjLbGoPwfyu027kc6V/OUiLXNGbCVV9r5fbTMNUUttVpDYzpDabBYFhpnl7n4R6feWmpLB2D+p8+AjtT2LhfJpouVMBzzqr/o3pNyKSN0rKOl4RNO/olIER6zITfyMLUb9Y6WOj0M7GUs9a6BYiJG3n3XoHoONjbOJtpNGzbtInapdNRy1Iio88ASqaN25qk46/DHO7paUahFbYbyg==
Host: 138.201.142.73:8080
Connection: Keep-Alive
Cache-Control: no-cache
Microsoft ECC TS Root Certificate Authority 2018
Software\Policies\Microsoft\SystemCertificates\Root
Software\Policies\Microsoft\SystemCertificates\CA
Microsoft Unified Security Protocol Provider
0a0!
/yxhFFEKXSLVJiqrJqsKvQpPwKBMOfnqEcWJAYkUnnefMrvpJdtgH
https://49.231.16.102/
Microsoft\Windows\History
/kFavVXuoLsrLqvwgzIBHcHvgj
https://51.79.205.117/
yxhFFEKXSLVJiqrJqsKvQpPwKBMOfnqEcWJAYkUnnefMrvpJdtgH
Microsoft Enhanced RSA and AES Cryptographic Provider
/iPJDVKdeIdeeGeTiufOLU
%s\regsvr32.exe "%s\%s"
osof
c Provider
feedplat:
feedplat
C:\Windows\SysWOW64
/KdwWnbWtYeFKxljBvFmxRZMuCq
49.231.16.102
ographic Provider
22 0
SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider
https://138.201.142.73:8080/drmmCGVTpGpPzuWWLvegISCcDsCUjRAvPBVedLMkFX
tls-server-end-point:-$
/XPWtiGbJCQaEslhzkiFbwIHCxRbuXKptqVwF
/dDWPyHglVcZwUAFahqJzBPLhbyDtaCpXLVO
Software\Microsoft\Cryptography\Offload
https://138.201.142.73:8080/uEgGYmxPy
https://138.201.142.73:8080/oSsqkDLRp
/drmmCGVTpGpPzuWWLvegISCcDsCUjRAvPBVedLMkFX
RSA1
5vdez
\??\C:\Windows\system32\certutil.exe
/TXoXaxOVmgNxEPImPYRovmPQbNpYBbqfZGGw
92361039-fdb4-4354-afbd-8d7d73da8e7f
MSHist012022041120220418
LMEM8
https://138.201.142.73:8080/zHkKMTkeN
RZce6velaVAavs9Vz6HD9gdvOY/yUNF169kqGHcQFGbqv3XzbjLbGoPwfyu027kc6V/OUiLXNGbCVV9r5fbTMNUUttVpDYzpDabBYFhpnl7n4R6feWmpLB2D+p8+AjtT2LhfJpouVMBzzqr/o3pNyKSN0rKOl4RNO/olIER6zITfyMLUb9Y6WOj0M7GUs9a6BYiJG3n3XoHoONjbOJtpNGzbtInapdNRy1Iio88ASqaN25qk46/DHO7paUahFbYbyg==
C:\Users\bob\AppData\Local\Temp
pAW HTTP/1.1
Cookie: bAozrxhKjDv=RZce6velaVAavs9Vz6HD9gdvOY/yUNF169kqGHcQFGbqv3XzbjLbGoPwfyu027kc6V/OUiLXNGbCVV9r5fbTMNUUttVpDYzpDabBYFhpnl7n4R6feWmpLB2D+p8+AjtT2LhfJpouVMBzzqr/o3pNyKSN0rKOl4RNO/olIER6zITfyMLUb9Y6WOj0M7GUs9a6BYiJG3n3XoHoONjbOJtpNA9c9j3tqdd1GrIA3bXCpIMQ2U2R5gXKnkufm1JHpCVb8kWsZkavlvH9GlOGH1eTtNLVlezdXTfHEFgIc8hZKETlhPJbrLyM1kKXsC0kuJq2GcAXtGfdz/pN+fuA1yj8cVK8Bardus9WsiD3
69kqGHcQFGbqv3XzbjLbGoPwfyu027kc6V/OUiLXNGbCVV9r5fbTMIuqQ25PGrRDL8+4WxADoFQBHJ55oGNeyerq/4vjh9UKYAzrsARtbZJfgHo+lky80MMmEhCbbUpmh8M0A2mrjo3szy8oldooWY5tORs62PR9hH2lFLoBeHvwW6o23v7DtnVZADYLoDZ+xa67X1CsGQXkWvL0MuoxqCBrS6PJp+qfmQ==
69kqGHcQFGbqv3XzbjLbGoPwfyu027kc6V/OUiLXNGbCVV9r5fbTMNUUttVpDYzpDabBYFhpnl7n4R6feWmpLB2D+p8+AjtT2LhfJpouVMBzzqr/o3pNyKSN0rKOl4RNO/olIER6zITfyMLUb9Y6WOj0M7GUs9a6BYiJG3n3XoHoONjbOJtpNPsAt5/TW4F6U4R3mt3HbelRloQk1MJUJK1Ud2UUMon3hYtddHk=
NTLM
CloudAP
WDigest
pku2u
TSSSP
a5M'3
Schannel Security Package
NegoExtender
TS Service Security Package
Cloud AP Security Package
dummy://url/
Default TLS SSP
CRqqqq
2.5.29.32
%2.5.29.37
#2.5.29.35
RUUU
YKSM
2.5.29.14
2.5.29.15
ASSM
2.5.29.1
2.5.29.19
2.5.29.31
ADDD
C:\Users\bob\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012022042220220423\
9f#9t
Root Agency0
960528220259Z
391231235959Z0
Root Agency0[0
GFor Testing Purposes Only Sample Software Publishing Credentials Agency0G
Root Agency
-.>{

 

 

Microsoft Defender for Endpoint
———————————————–
On another test VM with Microsoft Defender running and nothing else on the system, I ran the sample (xojftnrktg.fqd) to see what would happen and what MSDE would see/alert on and also if I could come up with a KQL query or two as well. Note: I still have some tuning to do as I just got the subscription up and running. In this case MSDE did NOT stop anything and just alerted on the activity (which is kind of what I wanted anyways). Also the times are off since this was after running it on the other VM!

It took a couple of minutes for the activity to get flagged and reported in the MSDE portal once I ran the OCX file. But once it reported back, MSDE’s portal lite up like a Christmas tree! Below are the alerts that MSDE saw on the system.

Considering that I already knew where the starting point was for this infection and how the infection chain proceeded from there, I came up with a quick KQL query to show me anything that had the PIDs of 4080 (regsvr32.exe) and 1140 (powershell.exe).

search in (AlertInfo, AlertEvidence, DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents, DeviceRegistryEvents, DeviceImageLoadEvents, DeviceEvents, DeviceImageLoadEvents) ProcessId == "4080"
or InitiatingProcessId == "4080" or InitiatingProcessId == "1140"
| project-away DeviceId, DeviceName, InitiatingProcessAccountDomain

Results of the KQL query

I haven’t been able to vet the results of that query with the results from ProcMon/Wireshark as of yet, but it was able to catch three more IP addresses that I didn’t see on the other VM along with the port 7080 being used. So I think it looks promising, but more “playing” will need to be had.

Artifacts
==========

OSINT
———-
https://urlhaus.abuse.ch/browse.php?search=congtycamvinh.com%2Fplugins%2FjG3iqpQaTL1TXYMolH
https://urlhaus.abuse.ch/browse.php?search=ecube.com.mx
https://urlhaus.abuse.ch/browse.php?search=dulichdichvu.net%2F
https://urlhaus.abuse.ch/browse.php?search=gnif.org%2Fadministrator
https://urlhaus.abuse.ch/browse.php?search=edoraseguros.com.br
https://urlhaus.abuse.ch/browse.php?search=sanoma.allrent.nl

IP addresses
—————–
69.163.185.102 (tcp/80)
209.126.103.109 (tcp/443)
138.201.142.73 (tcp/8080)
51.79.205.117 (tcp/8080)
49.231.16.102 (tcp/8080)
131.100.24.199 (tcp/7080)
103.85.160.5 (tcp/443)
138.201.142.73 (tcp/8080)
See list of IPs from strings2 output as well

URLs
———
hxxp://congtycamvinh.com/plugins/jG3iqpQaTL1TXYMolH/
hxxp://ecube.com.mx/e2oCWBnC/6wp2K4sfQmVIRy6ZvdiH/
hxxp://dulichdichvu.net/libraries/6vhzwoZoNDSMtSC/
hxxp://gnif.org/administrator/G68HwUGlKNJNU2vh5cz/
hxxps://edoraseguros.com.br/cgi-bin/l7ZERv5deNsfzlZUZ/
hxxps://sanoma.allrent.nl/cgi-bin/KXbI5OhLJ/

File hashes
—————
806a254729b816be1c0edb252f1e64f6d7f8b3a7fbcfd217cb414f623c37d17b – Form Dt 04.22.2022.zip
ef5d556b61ce8a29f7a79af93fe21c9e226de504e9ddbafa4faedaa74a1ce45b – Form Dt 04.22.2022.xls
3292bc764f98e7e39c91a30343276bb3ebc9a930f71c9c02d6c6b6c126d22f99 – xojftnrktg.fqd / xdwno.ocx

Munin results
——————-
1 / 1 > Malicious
HASH: 3292bc764f98e7e39c91a30343276bb3ebc9a930f71c9c02d6c6b6c126d22f99
VIRUS: Microsoft: Trojan:Win32/Wacatac.B!ml / Kaspersky: Trojan.Win64.Zenpak.avk / ESET-NOD32: Win64/Emotet.AH
TYPE: Win32 DLL SIZE: 626.0 KB FILENAMES: emotet_exe_e4_3292bc764f98e7e39c91a30343276bb3ebc9a930f71c9c02d6c6b6c126d22f99_2022-04-23__005633._exe
FIRST: 2022-04-23 00:56:36 LAST: 2022-04-23 00:56:36 SUBMISSIONS: 1 REPUTATION: 0
COMMENTS: 0 USERS: – TAGS: 64BITS ASSEMBLY PEDLL
RESULT: 11 / 67
[!] Sample on URLHaus URL: https://urlhaus-api.abuse.ch/v1/download/3292bc764f98e7e39c91a30343276bb3ebc9a930f71c9c02d6c6b6c126d22f99/
[!] URLHaus info TYPE: dll FIRST_SEEN: 2022-04-23 01:00:03 LAST_SEEN: None URL_COUNT: 1
[!] URLHaus STATUS: online URL: https://edoraseguros.com.br/cgi-bin/l7ZERv5deNsfzlZUZ/

Machinae results
———————–
********************************************************************************
* Information for 806a254729b816be1c0edb252f1e64f6d7f8b3a7fbcfd217cb414f623c37d17b
* Observable type: hash.sha256 (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with –list-sites

[+] VirusTotal File Report Results
[-] Date submitted: 2022-04-24 00:25:00
[-] Detected engines: 0
[-] Total engines: 60
[!] Error from MetaDefender File Report: 404 Client Error: Not Found for url: https://api.metadefender.com/v4/hash/806a254729b816be1c0edb252f1e64f6d7f8b3a7fbcfd217cb414f623c37d17b

********************************************************************************
* Information for ef5d556b61ce8a29f7a79af93fe21c9e226de504e9ddbafa4faedaa74a1ce45b
* Observable type: hash.sha256 (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with –list-sites

[+] VirusTotal File Report Results
[-] Date submitted: 2022-04-22 16:22:40
[-] Detected engines: 12
[-] Total engines: 59
[-] Scans: (‘Sangfor’, ‘Malware.Generic-XLM[.]Save[.]ma29’)
[-] Scans: (‘K7AntiVirus’, ‘Trojan ( 0059086a1 )’)
[-] Scans: (‘K7GW’, ‘Trojan ( 0059086a1 )’)
[-] Scans: (‘Symantec’, ‘CL[.]Suspexec!gen128’)
[-] Scans: (‘Kaspersky’, ‘HEUR:Trojan[.]MSOffice[.]Generic’)
[-] Scans: (‘F-Secure’, ‘Heuristic[.]HEUR/Agent.B2’)
[-] Scans: (‘Avira’, ‘HEUR/Agent.B2’)
[-] Scans: (‘ZoneAlarm’, ‘HEUR:Trojan[.]MSOffice[.]Generic’)
[-] Scans: (‘Cynet’, ‘Malicious (score: 99)’)
[-] Scans: (‘Rising’, ‘Downloader[.]Agent/XLM!1.DD61 (CLASSIC)’)
[-] Scans: (‘Ikarus’, ‘Trojan-Downloader[.]XLM[.]Agent’)
[-] Scans: (‘Fortinet’, ‘MSExcel/Agent[.]DKF!tr[.]dldr’)
[+] MetaDefender File Report Results
[-] Date submitted: 2022-04-24T08:07:23.359Z
[-] Detected engines: 11
[-] Total engines: 35
[-] Scans: (‘Avira’, ‘HEUR/Agent.B2’)
[-] Scans: (‘Bitdefender’, ‘Trojan[.]GenericKD.39546086’)
[-] Scans: (‘Cyren’, ‘XF/Agent[.]BG[.]gen!Eldorado’)
[-] Scans: (‘ESET’, ‘DOC/TrojanDownloader[.]Agent[.]DYV trojan’)
[-] Scans: (‘Emsisoft’, ‘Trojan[.]GenericKD.39546086 (B)’)
[-] Scans: (‘HAURI’, ‘XLS.Z[.]Agent.71680.J’)
[-] Scans: (‘IKARUS’, ‘Trojan-Downloader[.]XLM[.]Agent’)
[-] Scans: (‘K7’, ‘Trojan ( 0059086a1 )’)
[-] Scans: (‘Kaspersky’, ‘HEUR:Trojan.MSOffice[.]Agent[.]gen’)
[-] Scans: (‘McAfee’, ‘RDN/GenericOLE’)
[-] Scans: (‘RocketCyber’, ”)
[-] Scans: (‘Sophos’, ‘Troj/DocDl-AFZP’)
[-] Scans: (‘Webroot SMD’, ”)
[-] Scans: (‘Scrutiny’, ‘Unavailable (production)’)

********************************************************************************
* Information for 3292bc764f98e7e39c91a30343276bb3ebc9a930f71c9c02d6c6b6c126d22f99
* Observable type: hash.sha256 (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with –list-sites

[+] VirusTotal File Report Results
[-] Date submitted: 2022-04-23 00:56:36
[-] Detected engines: 11
[-] Total engines: 67
[-] Scans: (‘Elastic’, ‘malicious (high confidence)’)
[-] Scans: (‘K7GW’, ‘Trojan ( 00591e3a1 )’)
[-] Scans: (‘Cyren’, ‘W64/Emotet[.]EJB[.]gen!Eldorado’)
[-] Scans: (‘ESET-NOD32’, ‘Win64/Emotet[.]AH’)
[-] Scans: (‘Kaspersky’, ‘Trojan.Win64[.]Zenpak[.]avk’)
[-] Scans: (‘Avast’, ‘Win64:CrypterX-gen [Trj]’)
[-] Scans: (‘FireEye’, ‘Generic[.]mg[.]fc8edf4084b30379’)
[-] Scans: (‘Microsoft’, ‘Trojan:Win32/Wacatac.B!ml’)
[-] Scans: (‘Rising’, ‘Trojan[.]Kryptik!8.8 (C64:YzY0OgbYq8/Y0DuEUg)’)
[-] Scans: (‘Fortinet’, ‘W64/Kryptik.L2IL!tr’)
[-] Scans: (‘AVG’, ‘Win64:CrypterX-gen [Trj]’)
[+] MetaDefender File Report Results
[-] Date submitted: 2022-04-24T09:36:17.425Z
[-] Detected engines: 10
[-] Total engines: 35
[-] Scans: (‘AhnLab’, ‘Malware/Win[.]Generic’)
[-] Scans: (‘Bitdefender’, ‘Trojan[.]GenericKD.50184049’)
[-] Scans: (‘ClamAV’, ‘Win[.]Packed[.]Zenpak-9946539-0’)
[-] Scans: (‘Cyren’, ‘W64/Emotet[.]EJB[.]gen!Eldorado’)
[-] Scans: (‘ESET’, ‘Win64/Emotet[.]AH trojan’)
[-] Scans: (‘Emsisoft’, ‘Trojan[.]GenericKD.50184049 (B)’)
[-] Scans: (‘Huorong’, ‘Trojan/Emotet[.]mt’)
[-] Scans: (‘K7’, ‘Trojan ( 00591e3a1 )’)
[-] Scans: (‘Kaspersky’, ‘Trojan.Win64[.]Zenpak[.]avk’)
[-] Scans: (‘Scrutiny’, ‘Unavailable (production)’)
[-] Scans: (‘Webroot SMD’, ‘Malware’)

********************************************************************************
* Information for congtycamvinh.com
* Observable type: fqdn (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with –list-sites

[-] No URLVoid Results
[-] No URL Unshorten Results
[!] Error from Malc0de: HTTPSConnectionPool(host=’malc0de.com’, port=443): Max retries exceeded with url: /database/index.php?search=congtycamvinh.com (Caused by SSLError(SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)’)))
[+] Fortinet Category Results
[-] Fortinet URL Category: Malicious Websites
[+] VirusTotal pDNS Results
[-] pDNS data from VirusTotal: (‘2019-08-08’, ‘123[.]30.143.28’)
[-] pDNS data from VirusTotal: (‘2019-08-03′, ’35[.]240.224.208’)
[-] pDNS data from VirusTotal: (‘2019-08-07′, ’45[.]122.220.107’)
[-] pDNS data from VirusTotal: (‘2019-11-20′, ’45[.]122.220.108′)
[-] No McAfee Threat Results

********************************************************************************
* Information for ecube.com.mx
* Observable type: fqdn (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with –list-sites

[-] No URLVoid Results
[-] No URL Unshorten Results
[!] Error from Malc0de: HTTPSConnectionPool(host=’malc0de.com’, port=443): Max retries exceeded with url: /database/index.php?search=ecube.com.mx (Caused by SSLError(SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)’)))
[+] Fortinet Category Results
[-] Fortinet URL Category: Malicious Websites
[+] VirusTotal pDNS Results
[-] pDNS data from VirusTotal: (‘2016-05-01’, ‘104[.]236.196.201’)
[-] pDNS data from VirusTotal: (‘2019-12-13’, ‘174[.]136.26.136’)
[-] pDNS data from VirusTotal: (‘2022-03-12′, ’72[.]249.55.80′)
[-] No McAfee Threat Results

********************************************************************************
* Information for dulichdichvu.net
* Observable type: fqdn (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with –list-sites

[-] No URLVoid Results
[-] No URL Unshorten Results
[!] Error from Malc0de: HTTPSConnectionPool(host=’malc0de.com’, port=443): Max retries exceeded with url: /database/index.php?search=dulichdichvu.net (Caused by SSLError(SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)’)))
[+] Fortinet Category Results
[-] Fortinet URL Category: Malicious Websites
[+] VirusTotal pDNS Results
[-] pDNS data from VirusTotal: (‘2015-03-23’, ‘123[.]30.143.28’)
[-] pDNS data from VirusTotal: (‘2019-08-13′, ’45[.]122.220.108’)
[-] pDNS data from VirusTotal: (‘2019-07-23′, ’45[.]252.250.114′)
[-] Webutation Safety score: 70
[-] No McAfee Threat Results

********************************************************************************
* Information for gnif.org
* Observable type: fqdn (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with –list-sites

[-] No URLVoid Results
[-] No URL Unshorten Results
[!] Error from Malc0de: HTTPSConnectionPool(host=’malc0de.com’, port=443): Max retries exceeded with url: /database/index.php?search=gnif.org (Caused by SSLError(SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)’)))
[!] Error from Fortinet Category: 429 Client Error: Too Many Requests for url: https://www.fortiguard.com/webfilter?q=gnif.org
[+] VirusTotal pDNS Results
[-] pDNS data from VirusTotal: (‘2019-01-24’, ‘104[.]27.128.121’)
[-] pDNS data from VirusTotal: (‘2019-01-24’, ‘104[.]27.129.121’)
[-] pDNS data from VirusTotal: (‘2015-02-21′, ’69[.]163.166.2’)
[-] pDNS data from VirusTotal: (‘2019-02-03′, ’69[.]163.184.228’)
[-] pDNS data from VirusTotal: (‘2019-02-02′, ’69[.]163.185.101’)
[-] pDNS data from VirusTotal: (‘2019-11-18′, ’69[.]163.185.102′)
[-] Webutation Safety score: 100
[-] No McAfee Threat Results

********************************************************************************
* Information for edoraseguros.com.br
* Observable type: fqdn (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with –list-sites

[-] No URLVoid Results
[-] No URL Unshorten Results
[!] Error from Malc0de: HTTPSConnectionPool(host=’malc0de.com’, port=443): Max retries exceeded with url: /database/index.php?search=edoraseguros.com.br (Caused by SSLError(SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)’)))
[!] Error from Fortinet Category: 429 Client Error: Too Many Requests for url: https://www.fortiguard.com/webfilter?q=edoraseguros.com.br
[+] VirusTotal pDNS Results
[-] pDNS data from VirusTotal: (‘2020-10-02’, ‘209[.]126.102.171’)
[-] pDNS data from VirusTotal: (‘2021-08-02’, ‘209[.]126.103.109′)
[-] No McAfee Threat Results

********************************************************************************
* Information for sanoma.allrent.nl
* Observable type: fqdn (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with –list-sites

[-] No URLVoid Results
[-] No URL Unshorten Results
[!] Error from Malc0de: HTTPSConnectionPool(host=’malc0de.com’, port=443): Max retries exceeded with url: /database/index.php?search=sanoma.allrent.nl (Caused by SSLError(SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)’)))
[!] Error from Fortinet Category: 429 Client Error: Too Many Requests for url: https://www.fortiguard.com/webfilter?q=sanoma.allrent.nl
[!] Error from VirusTotal pDNS: Expecting value: line 1 column 1 (char 0)
[-] No McAfee Threat Results

********************************************************************************
* Information for 131.100.24.199
* Observable type: ipv4 (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with –list-sites

[!] Error from IP Whois: Whois RWS lookup failed for ‘http://rdap.lacnic.net/rdap/ip/131.100.24.199’.
[+] IPVoid Results
[-] Number of detections: 4
[-] IP Void Detection Rate: 4%
[-] Engines: (‘Feodo Tracker’, ‘(hXXps)://feodotracker[.]abuse[.]ch/’)
[-] Engines: (‘IPsum’, ‘hXXps://github[.]com/stamparm/ipsum’)
[-] Engines: (‘Redstout Threat IP list’, ‘(hXXps)://www[.]redstout[.]com/index[.]html’)
[-] Engines: (‘Snapt NovaSense’, ‘hXXps://novasense-threats[.]com/’)
[!] Error from Malc0de: HTTPSConnectionPool(host=’malc0de.com’, port=443): Max retries exceeded with url: /database/index.php?search=131.100.24.199 (Caused by SSLError(SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)’)))
[+] AbuseIPDB Results
[-] AbuseIPDB reports: 1
[!] Error from RansomwareTracker: 503 Server Error: Backend unavailable, connection timeout for url: https://ransomwaretracker.abuse.ch/host/131.100.24.199
[-] No SANS Results
[!] Error from freegeoip.io: 403 Client Error: Forbidden for url: https://freegeoip.io/json/131.100.24.199
[+] Fortinet Category Results
[-] Fortinet URL Category: Malicious Websites
[+] VirusTotal pDNS Results
[-] pDNS data from VirusTotal: (‘2022-04-01’, ‘bad[.]yourironcore[.]com’)
[-] pDNS data from VirusTotal: (‘2022-04-18’, ‘mail.comendabrasil[.]com[.]br’)
[-] pDNS data from VirusTotal: (‘2022-04-06’, ‘mail.indicacaohomenageado[.]com[.]br’)
[-] pDNS data from VirusTotal: (‘2022-04-06’, ‘mail.shopday[.]com[.]br’)
[-] pDNS data from VirusTotal: (‘2022-04-06’, ‘webmail.institutolideres[.]com[.]br’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-21’, ‘hXXp://131[.]100.24.199/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-20’, ‘hXXp://131[.]100.24.199:7080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-20’, ‘hXXps://131[.]100.24.199:7080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-08’, ‘hXXps://131[.]100.24.199:2303/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-08’, ‘hXXps://131[.]100.24.199:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-08’, ‘hXXp://131[.]100.24.199:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-08’, ‘hXXp://131[.]100.24.199:2303/’)
[-] No McAfee Threat Results
[-] No ThreatCrowd IP Report Results
[-] No GreyNoise Results

********************************************************************************
* Information for 103.85.160.5
* Observable type: ipv4 (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with –list-sites

[+] IP Whois Results
[-] ASN Information: (‘136262’, ‘103[.]85.160.0/24’, ‘2017-02-13’, ‘apnic’, ‘BD’)
[-] Network Information: (‘103[.]85.160.0/22’, ‘ORG-APCL1-AP’, ‘Asia Pacific Communication Limited administrator’, ‘103[.]85.160.0 – 103[.]85.163.255’)
[-] Registration Info: (‘Asia Pacific Communication Limited’, ‘2017-02-13’, ‘2020-07-29’)
[-] Registration Locality: BD
[-] Abuse Email: khalid@apclbd[.]net
khalid@apclbd[.]net
[+] IPVoid Results
[-] Number of detections: 4
[-] IP Void Detection Rate: 4%
[-] Engines: (‘Feodo Tracker’, ‘(hXXps)://feodotracker[.]abuse[.]ch/’)
[-] Engines: (‘IPsum’, ‘hXXps://github[.]com/stamparm/ipsum’)
[-] Engines: (‘Redstout Threat IP list’, ‘(hXXps)://www[.]redstout[.]com/index[.]html’)
[-] Engines: (‘Snapt NovaSense’, ‘hXXps://novasense-threats[.]com/’)
[!] Error from Malc0de: HTTPSConnectionPool(host=’malc0de.com’, port=443): Max retries exceeded with url: /database/index.php?search=103.85.160.5 (Caused by SSLError(SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)’)))
[-] No AbuseIPDB Results
[!] Error from RansomwareTracker: 503 Server Error: Backend unavailable, connection timeout for url: https://ransomwaretracker.abuse.ch/host/103.85.160.5
[-] No SANS Results
[!] Error from freegeoip.io: 403 Client Error: Forbidden for url: https://freegeoip.io/json/103.85.160.5
[+] Fortinet Category Results
[-] Fortinet URL Category: Malicious Websites
[+] VirusTotal pDNS Results
[-] pDNS data from VirusTotal: (‘2022-03-29’, ‘bad2[.]yourironcore[.]com’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-21’, ‘hXXp://103[.]85.160.5:443/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-20’, ‘hXXp://103[.]85.160.5:443/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-20’, ‘hXXps://103[.]85.160.5/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-18’, ‘hXXp://103[.]85.160.5/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-08’, ‘hXXps://103[.]85.160.5:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-08’, ‘hXXp://103[.]85.160.5:8080/’)
[-] No McAfee Threat Results
[-] No ThreatCrowd IP Report Results
[-] No GreyNoise Results

********************************************************************************
* Information for 138.201.142.73
* Observable type: ipv4 (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with –list-sites

[+] IP Whois Results
[-] ASN Information: (‘24940’, ‘138[.]201.0.0/16’, ‘1990-05-23’, ‘ripencc’, ‘DE’)
[-] Network Information: (‘138[.]201.142.64/26’, ‘HETZNER-fsn1-dc8’, ‘138[.]201.142.64 – 138[.]201.142.127’)
[-] Registration Info: (‘Hetzner Online GmbH\nDatacenter fsn1-dc8’, ‘2018-03-15’, ‘2018-03-15’)
[-] Registration Locality: DE
[-] Abuse Email: abuse@hetzner[.]com
[+] IPVoid Results
[-] Number of detections: 7
[-] IP Void Detection Rate: 8%
[-] Engines: (‘BlockedServersRBL’, ‘(hXXps)://www[.]blockedservers[.]com/’)
[-] Engines: (‘Blocklist[.]net[.]ua’, ‘(hXXps)://blocklist[.]net[.]ua/’)
[-] Engines: (‘Feodo Tracker’, ‘(hXXps)://feodotracker[.]abuse[.]ch/’)
[-] Engines: (‘IPsum’, ‘hXXps://github[.]com/stamparm/ipsum’)
[-] Engines: (‘Redstout Threat IP list’, ‘(hXXps)://www[.]redstout[.]com/index[.]html’)
[-] Engines: (‘Snapt NovaSense’, ‘hXXps://novasense-threats[.]com/’)
[-] Engines: (‘TweetFeed’, ‘hXXps://github[.]com/0xDanielLopez/TweetFeed’)
[!] Error from Malc0de: HTTPSConnectionPool(host=’malc0de.com’, port=443): Max retries exceeded with url: /database/index.php?search=138.201.142.73 (Caused by SSLError(SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)’)))
[+] AbuseIPDB Results
[-] AbuseIPDB reports: 57
[!] Error from RansomwareTracker: 503 Server Error: Backend unavailable, connection timeout for url: https://ransomwaretracker.abuse.ch/host/138.201.142.73
[-] No SANS Results
[!] Error from freegeoip.io: 403 Client Error: Forbidden for url: https://freegeoip.io/json/138.201.142.73
[+] Fortinet Category Results
[-] Fortinet URL Category: Malicious Websites
[+] VirusTotal pDNS Results
[-] pDNS data from VirusTotal: (‘2022-04-22’, ‘static.73[.]142.201.138.clients[.]your-server[.]de’)
[-] pDNS data from VirusTotal: (‘2022-04-22’, ‘www.maxnsam[.]dynu[.]com’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-24’, ‘hXXps://138[.]201.142.73/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-24’, ‘hXXps://138[.]201.142.73/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-24’, ‘hXXps://138[.]201.142.73/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-23’, ‘hXXps://138[.]201.142.73/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-23’, ‘hXXps://138[.]201.142.73/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-23’, ‘hXXp://138[.]201.142.73/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-23’, ‘hXXps://138[.]201.142.73/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-23’, ‘hXXps://138[.]201.142.73:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-23’, ‘hXXps://138[.]201.142.73/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-23’, ‘hXXps://138[.]201.142.73:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-23’, ‘hXXps://138[.]201.142.73/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-23’, ‘hXXps://138[.]201.142.73/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-23’, ‘hXXps://138[.]201.142.73:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-23’, ‘hXXps://138[.]201.142.73/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-23’, ‘hXXps://138[.]201.142.73:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-23’, ‘hXXps://138[.]201.142.73:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-23’, ‘hXXps://138[.]201.142.73/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-23’, ‘hXXps://138[.]201.142.73:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-23’, ‘hXXps://138[.]201.142.73:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-23’, ‘hXXps://138[.]201.142.73:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-22’, ‘hXXps://138[.]201.142.73:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-22’, ‘hXXps://138[.]201.142.73:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-22’, ‘hXXps://138[.]201.142.73:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-22’, ‘hXXps://138[.]201.142.73:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-22’, ‘hXXps://138[.]201.142.73:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-22’, ‘hXXps://138[.]201.142.73/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-22’, ‘hXXps://138[.]201.142.73/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-22’, ‘hXXps://138[.]201.142.73:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-22’, ‘hXXps://138[.]201.142.73:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-22’, ‘hXXps://138[.]201.142.73:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-22’, ‘hXXps://138[.]201.142.73:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-22’, ‘hXXps://138[.]201.142.73:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-22’, ‘hXXps://138[.]201.142.73/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-22’, ‘hXXps://138[.]201.142.73:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-22’, ‘hXXps://138[.]201.142.73:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-22’, ‘hXXps://138[.]201.142.73:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-22’, ‘hXXps://138[.]201.142.73:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-22’, ‘hXXps://138[.]201.142.73:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-22’, ‘hXXps://138[.]201.142.73/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-22’, ‘hXXps://138[.]201.142.73:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-22’, ‘hXXps://138[.]201.142.73:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-22’, ‘hXXps://138[.]201.142.73:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-22’, ‘hXXps://138[.]201.142.73:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-22’, ‘hXXps://138[.]201.142.73:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-22’, ‘hXXps://138[.]201.142.73/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-22’, ‘hXXps://138[.]201.142.73/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-22’, ‘hXXps://138[.]201.142.73/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-22’, ‘hXXps://138[.]201.142.73/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-22’, ‘hXXps://138[.]201.142.73/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-22’, ‘hXXps://138[.]201.142.73/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-22’, ‘hXXps://138[.]201.142.73:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-21’, ‘hXXps://138[.]201.142.73:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-21’, ‘hXXp://138[.]201.142.73/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-21’, ‘hXXps://138[.]201.142.73/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-21’, ‘hXXps://138[.]201.142.73/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-21’, ‘hXXps://138[.]201.142.73:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-21’, ‘hXXps://138[.]201.142.73/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-21’, ‘hXXp://138[.]201.142.73/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-21’, ‘hXXp://138[.]201.142.73:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-21’, ‘hXXps://138[.]201.142.73/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-21’, ‘hXXp://138[.]201.142.73/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-21’, ‘hXXp://138[.]201.142.73/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-21’, ‘hXXps://138[.]201.142.73:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-21’, ‘hXXps://138[.]201.142.73/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-21’, ‘hXXps://138[.]201.142.73/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-21’, ‘hXXps://138[.]201.142.73/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-21’, ‘hXXps://138[.]201.142.73/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-21’, ‘hXXps://138[.]201.142.73:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-21’, ‘hXXps://138[.]201.142.73/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-20’, ‘hXXps://138[.]201.142.73/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-20’, ‘hXXps://138[.]201.142.73/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-20’, ‘hXXps://138[.]201.142.73/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-20’, ‘hXXp://138[.]201.142.73:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-04-20’, ‘hXXps://138[.]201.142.73:8080/’)
[-] No McAfee Threat Results
[-] No ThreatCrowd IP Report Results
[-] No GreyNoise Results

Leave a Reply

Your email address will not be published.