[Fedor22]

Thanks buddy .

https://www.virustotal.com/en/file/f0fd ... 548862087/

Emotet downloader.
Downloads exe from:

Code: Select all

hxxp://www.vario-reducer.com/wp-content/bGkoUUavZySGn
hxxp://mail.saglikpersoneli.net/sohft/PTYGsf41Witt_k

Connects to CnC server:

Code: Select all

hxxp://173.73.83.146/

[Antelox]

Thanks buddy .

https://www.virustotal.com/en/file/f0fd ... 548862087/

I have got also Qakbot/QBot from the distribution URLs contacted by the doc:

Code: Select all

hxxp://kadinveyasam.org/wp-content/languages/EZ22B35GBTu9z_N
hxxp://mail.saglikpersoneli.net/sohft/PTYGsf41Witt_k
hxxp://mingroups.vn/NYV82LSYWEs_s1
hxxp://www.ontamada.ru/RDUstD0DxgOP
hxxp://www.vario-reducer.com/wp-content/bGkoUUavZySGn

Binary downloaded: https://www.virustotal.com/en/file/6cf9 ... /analysis/

BR,

Antelox

[ikolor]

Thanks you a lot friends

https://www.virustotal.com/en/file/5899 ... 549027314/

[ikolor]

I don't know .

https://www.virustotal.com/en/file/d2e1 ... 549115491/

http://mywedphoto.ru/

[Fedor22]

I don't know .

https://www.virustotal.com/en/file/d2e1 ... 549115491/

http://mywedphoto.ru/

I don't found some kind of malicious here. It's just false positive, not malware.

[ikolor]

thanks you

https://www.virustotal.com/en/file/70f7 ... 549123460/

[Fedor22]

thanks you

https://www.virustotal.com/en/file/70f7 ... 549123460/

Emotet banker (not downloader).
Connects to CnC servers:

Code: Select all

hxxp://201.142.199.76
hxxp://190.159.143.96

[ikolor]

Thanks you Fedor

https://www.virustotal.com/en/file/9af5 ... 549139646/

[ikolor]

next

https://www.virustotal.com/en/file/c8a2 ... 549641274/

[Fedor22]

next

https://www.virustotal.com/en/file/c8a2 ... 549641274/

It's XMR-Stak bitcoin miner, also contains dll component.