SHARE
TWEET

#formbook_220419

VRad May 9th, 2019 (edited) 149 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #formbook #RAR #EXE
  2.  
  3. https://pastebin.com/1FMBBK3N
  4.  
  5. previous_contact:
  6. 26/02/19    https://pastebin.com/yLu1cL9K
  7. 15/11/18    https://pastebin.com/VFG89LnT
  8. 14/11/18    https://pastebin.com/D6VPDyyz
  9.  
  10. FAQ:
  11.  
  12. attack_vector
  13. --------------
  14. email attach .RAR > .EXE
  15.  
  16. email_headers
  17. --------------
  18. n/a
  19.  
  20. files
  21. --------------
  22. SHA-256     fadf0395c50287c0981c0ba6a5dd94df18d574489760811484f79b678f62dadb
  23. File name   PO19040302.rar              [RAR archive data, v2e,]
  24. File size   259.53 KB (265759 bytes)
  25.  
  26. SHA-256     03b325328922fd983ab4e2e8de3780c7b7711a14043103cc2d461e378638d640
  27. File name   PO19040302.exe              [PE32 executable (GUI) Intel 80386, for MS Windows]
  28. File size   552 KB (565248 bytes)
  29.  
  30. activity
  31. **************
  32.  
  33. netwrk
  34. --------------
  35. 192.252.146.28  efficientmechanical{.} com  GET /su/?GT=iAQ...==&zl3D=Ul9L      HTTP/1.1 Continuation   noUA
  36. 184.168.221.96  istdama{.} com          GET /su/?GT=+q5...==&zl3D=Ul9L&sql=1    HTTP/1.1 Continuation   noUA
  37. 184.168.221.96  istdama{.} com          POST /su/               HTTP/1.1        Mozilla/4.0
  38. 217.70.184.50   thecrudeco{.} com       GET /su/?GT=SsW...==&zl3D=Ul9L&sql=1    HTTP/1.1 Continuation   noUA   
  39. 217.70.184.50   thecrudeco{.} com       POST /su/               HTTP/1.1        Mozilla/4.0
  40.  
  41. comp
  42. --------------
  43. explorer.exe    2045    TCP localhost   40321   192.252.146.28  80  ESTABLISHED
  44. explorer.exe    2045    TCP localhost   40376   184.168.221.96  80  ESTABLISHED
  45. explorer.exe    2045    TCP localhost   40387   217.70.184.50   80  ESTABLISHED
  46.  
  47. proc
  48. --------------
  49. C:\Users\operator\Desktop\PO19040302.exe
  50. C:\Users\operator\Desktop\PO19040302.exe
  51. C:\Windows\System32\netsh.exe
  52. C:\Windows\System32\cmd.exe /c del "C:\Users\operator\Desktop\PO19040302.exe"
  53. C:\Program Files\Mozilla Firefox\Firefox.exe
  54. C:\Program Files\Yv4bdn\pr6hzlkspx.exe
  55. C:\Program Files\Yv4bdn\pr6hzlkspx.exe
  56. C:\Windows\System32\netsh.exe
  57. C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
  58.  
  59. persist
  60. --------------
  61. n/a
  62.  
  63. drop
  64. --------------
  65. C:\Program Files\Yv4bdn\pr6hzlkspx.exe
  66.  
  67. # # #
  68. https://www.virustotal.com/gui/file/fadf0395c50287c0981c0ba6a5dd94df18d574489760811484f79b678f62dadb/details
  69. https://www.virustotal.com/gui/file/03b325328922fd983ab4e2e8de3780c7b7711a14043103cc2d461e378638d640/details
  70. https://analyze.intezer.com/#/analyses/dc1d2f98-3f81-4512-ac65-e38538335821
  71.  
  72. VR
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top