Emansrepo Stealer: Multi-Vector Attack Chains
Sept. 4, 2024, 9:19 a.m.
Tags
External References
Description
A Python infostealer named Emansrepo has been observed since November 2023, distributed via phishing emails containing fake purchase orders and invoices. The malware steals browser data, credit card information, and files, sending them to the attacker's email. The attack chain has evolved, becoming more complex with multiple stages before downloading Emansrepo. Three main attack chains are described, involving HTML files, AutoIt scripts, and PowerShell commands. The stealer's behavior is divided into three parts, targeting different types of data. A new related campaign using Remcos malware has also been identified. The attackers continuously evolve their methods, emphasizing the importance of cybersecurity awareness for organizations.
Date
Published: Sept. 4, 2024, 8:49 a.m.
Created: Sept. 4, 2024, 8:49 a.m.
Modified: Sept. 4, 2024, 9:19 a.m.
Indicators
dd656953a6844dd9585f05545a513c4e8c2ded13e06cdb67a0e58eda7575a7a4
e346f6b36569d7b8c52a55403a6b78ae0ed15c0aaae4011490404bdb04ff28e5
bee8da411e71547ac765a5e63e177b59582df438432cc3b540b57a6f1a56dd16
ae2a5a02d0ef173b1d38a26c5a88b796f4ee2e8f36ee00931c468cd496fb2b5a
b343cce5381b8633b3fd3da56698f60db70c75422e120235a00517d519e37d8d
a6c2df5df1253f50bd49e7083fef6cdac544d97db4a6c9c30d7852c4fd651921
a2fa6790035c7af64146158f1ed20cb54f4589783e1f260a5d8e4f30b81df70d
9e5580d7c3c22e37b589ec8eea2dae423c8e63f8f666c83edabecf70a0948b99
9bd3b8d9ac6ad680b0d0e39b82a439feedd87b9af580f37fa3d80d2c252fef8c
915bad0e2dbe0a18423c046f84d0ff7232fff4e5ba255cc710783f6e4929ab32
9866934dd2b4e411cdabaa7a96a63f153921a6489f01b0b40d7febed48b02c22
8e43c97e5bc62211b3673dee13e376a1f5026502ebe9fd9f7f455dc17c253b7f
7a9826be22b6d977d6a0e5179f84d8e88b279fe6d9df8f6c93ebc40a6ba70f06
70ba3d67b476e98419ecbbbb5d81efcb5a07f55a92c96e7b9207176746e3b7a6
6e7313b6aa37a00b602e620a25a0b71a74503ea967f1814c6c7b8b192535a043
6670e5c7521966e82d091e7adff4e16335f03f2e2740b653adcc9bfe35c7bf9b
64e5c9e7b8dfb8ca8ca73895aa51e585fa7e5414f0e1d10659d3a83b9f770333
4cd8c9fa7f5e2484b73ed9c7be55aa859969c3f21ca2834610102231d337841d
32bcbce53bfee33112b447340e7114d6d46be4ccf1a5391ad685431afdc8fb86
222dd76c461e70c3cb330bacfcf465751b07331c4f8a4415c09f4cd7c4e6fcd9
18459be33cd4f59081098435a0fbaa649f301f985647a75d21b7fc337378e59b
192.236.232.35
191.101.130.185
https://hedam.shop/simple/Enquiry.7z
https://dasmake.top/reader/timer.php
https://estanciaferreira.com.br/wp-includes/TIANJIN-DOC-05082024-xls.7z
https://bafybeigm3wrvmyw5de667rzdgdnct2fvwumyf6zyzybzh3tqvv5jhlx2ta.ipfs.dweb.link/wetrankfr.zip
https://bafybeifhhbimsau6a6x4m2ghdmzer5c3ixfztpocqqudlo4oyzer224q4y.ipfs.w3s.link/myscr649612.js
publicsmtp@dasmake.xyz
publicbox@dasmake.xyz
stealsmtp@dasmake.xyz
minestealer8412@maternamedical.top
minestealer8412@dasmake.xyz
minesmtp8714@maternamedical.top
hanbox@dasmake.xyz
minesmtp8714@dasmake.xyz
filelogs@maternamedical.top
extensionsmtp@maternamedical.top
cookiesmtp@maternamedical.top
cooklielogs@maternamedical.top
bafybeifhhbimsau6a6x4m2ghdmzer5c3ixfztpocqqudlo4oyzer224q4y.ipfs.w3s.link
bafybeigm3wrvmyw5de667rzdgdnct2fvwumyf6zyzybzh3tqvv5jhlx2ta.ipfs.dweb.link
Attack Patterns
Emansrepo
Remcos
T1059.006
T1552.001
T1059.005
T1074
T1059.001
T1114
T1056.001
T1555
T1005
T1204
T1041
T1566