Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #MassLogger #NET #Stealer #RAR #EXE #PowerShell
- https://pastebin.com/4uXgesYV
- MassLogger identified with help of @James_inthe_box
- Binaries was correctly decoded by @ni_fi_70
- FAQ:
- https://medium.com/@mariohenkel/decrypt-masslogger-2-4-0-0-configuration-eff3ee0720a7
- https://github.com/advanced-threat-research/Yara-Rules/blob/master/malware/MALW_masslogger_stealer.yar
- https://www.fireeye.com/blog/threat-research/2020/08/bypassing-masslogger-anti-analysis-man-in-the-middle-approach.html
- https://www.seqrite.com/blog/masslogger-an-emerging-spyware-and-keylogger/
- https://fr3d.hk/blog/masslogger-frankenstein-s-creation
- attack_vector
- --------------
- email attach .dat (RAR) > EXE > PowerSHelll > GET .jpg > decode > inject > steal
- email_headers
- --------------
- Return-Path: <europamarket@ukr.net>
- Received: from diez.sitserver.es (localhost.localdomain [127.0.0.1])
- by diez.sitserver.es (Postfix) with ESMTPSA id E09911203E87;
- Received: from r-199-61-62-5.ff.avast.com (r-199-61-62-5.ff.avast.com
- [5.62.61.199]) by webmail.publiactiva.com (Horde Framework)
- Date: Tue, 18 Aug 2020 05:53:43 +0000
- From: europamarket@ukr.net
- Subject: Fwd: Супровідний платіж 18-18-2020 08:49:43
- User-Agent: Horde Application Framework 5
- X-FE-ORIG-ENV-FROM: europamarket@ukr.net
- X-FEAS-CLIENT-IP: 95.216.245.200
- files
- --------------
- SHA-256 21bb50ff9f59c9381ba79763f53ee12563502fd647ae20f54868074640a4911d
- File name Untitled attachment 00182.dat [ RAR archive data, vc1, Locked, os: OS/2 ]
- File size 24.01 KB (24586 bytes)
- SHA-256 2f49691118a908eb48c777e70065854e619b438bc317199b3559a1d8d5cddc6d
- File name Доказ оплати...exe [PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly]
- File size 53.50 KB (54784 bytes)
- SHA-256 c06d5538f6d2e875d49601a403d1cbd3ac636004b4ee106f69a1aa2fa13aeabf
- File name Q9.jpg [ASCII text, with very long lines, with no line terminators]
- File size 5.38 MB (5640802 bytes)
- SHA-256 9fa11ac7c21c590f61767f2cbf7f3e17235cd43bd0587875817d02a624e3c6a4
- File name InstallUtil.exe.inactive [ .NET executable ]
- File size 709.50 KB (726528 bytes)
- SHA-256 82bd8e28f81160039e462330daee5190d7f474e76723aea057ddeadb201bc55c
- File name beef.dll [.NET executable]
- File size 25.00 KB (25600 bytes)
- activity
- **************
- PL_SCR privatnidoktoricacak.com/Q9.jpg
- C2 94.127.7.174
- exfil on smtp.gmail.com
- netwrk
- --------------
- [ssl]
- smtp.gmail.com
- [http]
- 217.26.215.27 privatnidoktoricacak.com GET /Q9.jpg HTTP/1.1
- comp
- --------------
- powershell.exe 3392 TCP 217.26.215.27 80 ESTABLISHED
- proc
- --------------
- C:\Users\operator\Desktop\1.exe
- "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $NjBXI='...';$jm=$NjBXI.Split('^') | forEach {[char]([convert]::toint16($_,16))};$jm -join ''|I`E`X
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
- persist
- --------------
- n/a
- drop
- --------------
- n/a (all done by powershell)
- # # #
- https://www.virustotal.com/gui/file/21bb50ff9f59c9381ba79763f53ee12563502fd647ae20f54868074640a4911d/details
- https://www.virustotal.com/gui/file/2f49691118a908eb48c777e70065854e619b438bc317199b3559a1d8d5cddc6d/details
- https://www.virustotal.com/gui/file/c06d5538f6d2e875d49601a403d1cbd3ac636004b4ee106f69a1aa2fa13aeabf/details
- https://www.virustotal.com/gui/file/9fa11ac7c21c590f61767f2cbf7f3e17235cd43bd0587875817d02a624e3c6a4/details
- VR
Add Comment
Please, Sign In to add comment