Back

Emansrepo Stealer: Multi-Vector Attack Chains

Sept. 4, 2024, 9:19 a.m.

Tags

phishing
infostealer
remcos
2024-09-04
emansrepo

External References

https://www.fortinet.com/

https://otx.alienvault.com/

Description

A Python infostealer named Emansrepo has been observed since November 2023, distributed via phishing emails containing fake purchase orders and invoices. The malware steals browser data, credit card information, and files, sending them to the attacker's email. The attack chain has evolved, becoming more complex with multiple stages before downloading Emansrepo. Three main attack chains are described, involving HTML files, AutoIt scripts, and PowerShell commands. The stealer's behavior is divided into three parts, targeting different types of data. A new related campaign using Remcos malware has also been identified. The attackers continuously evolve their methods, emphasizing the importance of cybersecurity awareness for organizations.

Date

Published Created Modified
Sept. 4, 2024, 8:49 a.m. Sept. 4, 2024, 8:49 a.m. Sept. 4, 2024, 9:19 a.m.

Indicators

dd656953a6844dd9585f05545a513c4e8c2ded13e06cdb67a0e58eda7575a7a4

e346f6b36569d7b8c52a55403a6b78ae0ed15c0aaae4011490404bdb04ff28e5

bee8da411e71547ac765a5e63e177b59582df438432cc3b540b57a6f1a56dd16

ae2a5a02d0ef173b1d38a26c5a88b796f4ee2e8f36ee00931c468cd496fb2b5a

b343cce5381b8633b3fd3da56698f60db70c75422e120235a00517d519e37d8d

a6c2df5df1253f50bd49e7083fef6cdac544d97db4a6c9c30d7852c4fd651921

a2fa6790035c7af64146158f1ed20cb54f4589783e1f260a5d8e4f30b81df70d

9e5580d7c3c22e37b589ec8eea2dae423c8e63f8f666c83edabecf70a0948b99

9bd3b8d9ac6ad680b0d0e39b82a439feedd87b9af580f37fa3d80d2c252fef8c

915bad0e2dbe0a18423c046f84d0ff7232fff4e5ba255cc710783f6e4929ab32

9866934dd2b4e411cdabaa7a96a63f153921a6489f01b0b40d7febed48b02c22

8e43c97e5bc62211b3673dee13e376a1f5026502ebe9fd9f7f455dc17c253b7f

7a9826be22b6d977d6a0e5179f84d8e88b279fe6d9df8f6c93ebc40a6ba70f06

70ba3d67b476e98419ecbbbb5d81efcb5a07f55a92c96e7b9207176746e3b7a6

6e7313b6aa37a00b602e620a25a0b71a74503ea967f1814c6c7b8b192535a043

6670e5c7521966e82d091e7adff4e16335f03f2e2740b653adcc9bfe35c7bf9b

64e5c9e7b8dfb8ca8ca73895aa51e585fa7e5414f0e1d10659d3a83b9f770333

4cd8c9fa7f5e2484b73ed9c7be55aa859969c3f21ca2834610102231d337841d

32bcbce53bfee33112b447340e7114d6d46be4ccf1a5391ad685431afdc8fb86

222dd76c461e70c3cb330bacfcf465751b07331c4f8a4415c09f4cd7c4e6fcd9

18459be33cd4f59081098435a0fbaa649f301f985647a75d21b7fc337378e59b

192.236.232.35

191.101.130.185

https://hedam.shop/simple/Enquiry.7z

https://dasmake.top/reader/timer.php

https://estanciaferreira.com.br/wp-includes/TIANJIN-DOC-05082024-xls.7z

https://bafybeigm3wrvmyw5de667rzdgdnct2fvwumyf6zyzybzh3tqvv5jhlx2ta.ipfs.dweb.link/wetrankfr.zip

https://bafybeifhhbimsau6a6x4m2ghdmzer5c3ixfztpocqqudlo4oyzer224q4y.ipfs.w3s.link/myscr649612.js

publicsmtp@dasmake.xyz

publicbox@dasmake.xyz

stealsmtp@dasmake.xyz

minestealer8412@maternamedical.top

minestealer8412@dasmake.xyz

minesmtp8714@maternamedical.top

hanbox@dasmake.xyz

minesmtp8714@dasmake.xyz

filelogs@maternamedical.top

extensionsmtp@maternamedical.top

cookiesmtp@maternamedical.top

cooklielogs@maternamedical.top

Attack Patterns

Emansrepo

Remcos

T1059.006

T1552.001

T1059.005

T1074

T1059.001

T1114

T1056.001

T1555

T1005

T1204

T1041

T1566