Emansrepo Stealer: Multi-Vector Attack Chains

    Thursday, September 5, 2024 In: Threat Research Print

    Date: 09/05/2024

    Severity: High

    Summary

    In August 2024, FortiGuard Labs detected a Python infostealer named Emansrepo, spread through emails with fraudulent purchase orders and invoices. Emansrepo compresses victim data from browsers and specific file paths into a zip file, then emails it to the attacker. This campaign has been active since November 2023. The phishing email contained an HTML file that redirected to a download link for Emansrepo, which is packaged with PyInstaller to run without needing Python.

    Indicators of Compromise (IOC) List

    Domains/URLs

    maternamedical.top

    https://dasmake.top/reader/timer.php

    https://estanciaferreira.com.br/wp-includes/tianjin-doc-05082024-xls.7z

    https://hedam.shop/simple/enquiry.7z

    https://bafybeigm3wrvmyw5de667rzdgdnct2fvwumyf6zyzybzh3tqvv5jhlx2ta.ipfs.dweb.link/wetrankfr.zip

    estanciaferreira.com.br

    https://bafybeifhhbimsau6a6x4m2ghdmzer5c3ixfztpocqqudlo4oyzer224q4y.ipfs.w3s.link/myscr649612.js

    bafybeifhhbimsau6a6x4m2ghdmzer5c3ixfztpocqqudlo4oyzer224q4y.ipfs.w3s.link

    bafybeigm3wrvmyw5de667rzdgdnct2fvwumyf6zyzybzh3tqvv5jhlx2ta.ipfs.dweb.link

    hedam.shop

    dweb.link

    dasmake.top

    dasmake.xyz

    w3s.link

    IP Address

    191.101.130.185

    192.236.232.35

    Hash

    bee8da411e71547ac765a5e63e177b59582df438432cc3b540b57a6f1a56dd16

915bad0e2dbe0a18423c046f84d0ff7232fff4e5ba255cc710783f6e4929ab32

222dd76c461e70c3cb330bacfcf465751b07331c4f8a4415c09f4cd7c4e6fcd9

ae2a5a02d0ef173b1d38a26c5a88b796f4ee2e8f36ee00931c468cd496fb2b5a

9bd3b8d9ac6ad680b0d0e39b82a439feedd87b9af580f37fa3d80d2c252fef8c

b343cce5381b8633b3fd3da56698f60db70c75422e120235a00517d519e37d8d

64e5c9e7b8dfb8ca8ca73895aa51e585fa7e5414f0e1d10659d3a83b9f770333

18459be33cd4f59081098435a0fbaa649f301f985647a75d21b7fc337378e59b

70ba3d67b476e98419ecbbbb5d81efcb5a07f55a92c96e7b9207176746e3b7a6

9e5580d7c3c22e37b589ec8eea2dae423c8e63f8f666c83edabecf70a0948b99

a6c2df5df1253f50bd49e7083fef6cdac544d97db4a6c9c30d7852c4fd651921

32bcbce53bfee33112b447340e7114d6d46be4ccf1a5391ad685431afdc8fb86

6670e5c7521966e82d091e7adff4e16335f03f2e2740b653adcc9bfe35c7bf9b

9866934dd2b4e411cdabaa7a96a63f153921a6489f01b0b40d7febed48b02c22

4cd8c9fa7f5e2484b73ed9c7be55aa859969c3f21ca2834610102231d337841d

8e43c97e5bc62211b3673dee13e376a1f5026502ebe9fd9f7f455dc17c253b7f

a2fa6790035c7af64146158f1ed20cb54f4589783e1f260a5d8e4f30b81df70d

dd656953a6844dd9585f05545a513c4e8c2ded13e06cdb67a0e58eda7575a7a4

e346f6b36569d7b8c52a55403a6b78ae0ed15c0aaae4011490404bdb04ff28e5

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains/URLs

    userdomainname like "maternamedical.top" or url like "maternamedical.top" or userdomainname like "https://dasmake.top/reader/timer.php" or url like "https://dasmake.top/reader/timer.php" or userdomainname like "https://estanciaferreira.com.br/wp-includes/tianjin-doc-05082024-xls.7z" or url like "https://estanciaferreira.com.br/wp-includes/tianjin-doc-05082024-xls.7z" or userdomainname like "https://hedam.shop/simple/enquiry.7z" or url like "https://hedam.shop/simple/enquiry.7z" or userdomainname like "https://bafybeigm3wrvmyw5de667rzdgdnct2fvwumyf6zyzybzh3tqvv5jhlx2ta.ipfs.dweb.link/wetrankfr.zip" or url like "https://bafybeigm3wrvmyw5de667rzdgdnct2fvwumyf6zyzybzh3tqvv5jhlx2ta.ipfs.dweb.link/wetrankfr.zip" or userdomainname like "estanciaferreira.com.br" or url like "estanciaferreira.com.br" or userdomainname like "https://bafybeifhhbimsau6a6x4m2ghdmzer5c3ixfztpocqqudlo4oyzer224q4y.ipfs.w3s.link/myscr649612.js" or url like "https://bafybeifhhbimsau6a6x4m2ghdmzer5c3ixfztpocqqudlo4oyzer224q4y.ipfs.w3s.link/myscr649612.js" or userdomainname like "bafybeifhhbimsau6a6x4m2ghdmzer5c3ixfztpocqqudlo4oyzer224q4y.ipfs.w3s.link" or url like "bafybeifhhbimsau6a6x4m2ghdmzer5c3ixfztpocqqudlo4oyzer224q4y.ipfs.w3s.link" or userdomainname like "bafybeigm3wrvmyw5de667rzdgdnct2fvwumyf6zyzybzh3tqvv5jhlx2ta.ipfs.dweb.link" or url like "bafybeigm3wrvmyw5de667rzdgdnct2fvwumyf6zyzybzh3tqvv5jhlx2ta.ipfs.dweb.link" or userdomainname like "hedam.shop" or url like "hedam.shop" or userdomainname like "dweb.link" or url like "dweb.link" or userdomainname like "dasmake.top" or url like "dasmake.top" or userdomainname like "dasmake.xyz" or url like "dasmake.xyz" or userdomainname like "w3s.link" or url like "w3s.link"

    IP Address

    dstipaddress IN ("192.236.232.35","191.101.130.185") or ipaddress IN ("192.236.232.35","191.101.130.185") or publicipaddress IN ("192.236.232.35" , "191.101.130.185") or srcipaddress IN ("192.236.232.35" , "191.101.130.185")

    Hash

    sha256hash IN ("bee8da411e71547ac765a5e63e177b59582df438432cc3b540b57a6f1a56dd16","915bad0e2dbe0a18423c046f84d0ff7232fff4e5ba255cc710783f6e4929ab32","222dd76c461e70c3cb330bacfcf465751b07331c4f8a4415c09f4cd7c4e6fcd9","ae2a5a02d0ef173b1d38a26c5a88b796f4ee2e8f36ee00931c468cd496fb2b5a","9bd3b8d9ac6ad680b0d0e39b82a439feedd87b9af580f37fa3d80d2c252fef8c","b343cce5381b8633b3fd3da56698f60db70c75422e120235a00517d519e37d8d","64e5c9e7b8dfb8ca8ca73895aa51e585fa7e5414f0e1d10659d3a83b9f770333","18459be33cd4f59081098435a0fbaa649f301f985647a75d21b7fc337378e59b","70ba3d67b476e98419ecbbbb5d81efcb5a07f55a92c96e7b9207176746e3b7a6","9e5580d7c3c22e37b589ec8eea2dae423c8e63f8f666c83edabecf70a0948b99","a6c2df5df1253f50bd49e7083fef6cdac544d97db4a6c9c30d7852c4fd651921","32bcbce53bfee33112b447340e7114d6d46be4ccf1a5391ad685431afdc8fb86","6670e5c7521966e82d091e7adff4e16335f03f2e2740b653adcc9bfe35c7bf9b","9866934dd2b4e411cdabaa7a96a63f153921a6489f01b0b40d7febed48b02c22","4cd8c9fa7f5e2484b73ed9c7be55aa859969c3f21ca2834610102231d337841d","8e43c97e5bc62211b3673dee13e376a1f5026502ebe9fd9f7f455dc17c253b7f","a2fa6790035c7af64146158f1ed20cb54f4589783e1f260a5d8e4f30b81df70d","dd656953a6844dd9585f05545a513c4e8c2ded13e06cdb67a0e58eda7575a7a4","e346f6b36569d7b8c52a55403a6b78ae0ed15c0aaae4011490404bdb04ff28e5")

    Reference:

    https://www.fortinet.com/blog/threat-research/emansrepo-stealer-multi-vector-attack-chains


    Tags

    MalwarePhishing

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.