Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- found by @James_inthe_box
- #quantloader #malspam run: "Emailing: <characters>", zip (is muffed, base64 file) -> smblink -> js -> #quantloader
- https://twitter.com/James_inthe_box/status/980808229260161024
- https://www.hybrid-analysis.com/sample/00ca7e9e61a3ceaa4b9250866aface8af63e5ae71435d4fd6c770a8c9a167f22/5ac21b077ca3e10c8716fbc0
- downloads EvilAmmy ( https://pastebin.com/teJp9PtS )
- ------------------------
- interesting api calls
- ------------------------
- strcat ( "", "http://200.7.111.128/e6/index.php" )
- WININET.DLL StrCmpNICA ( "https", "https://bdns.at/r/biberonata.bit", 5 )
- strlen ( "http://biberonata.bit/e6/index.php" )
- CreateFileA ( "c:\users\xxx\appdata\roaming\16643456\dwm.exe", 0, FILE_SHARE_DELETE | FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_FLAG_NO_BUFFERING | FILE_FLAG_SEQUENTIAL_SCAN, NULL )
- CreateProcessA ( NULL, "netsh advfirewall firewall add rule name="Quant" program="c:\users\xxx\desktop\[removed].exe" dir=Out action=allow", NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, 0x0012ec10, 0x0012ec00 )
- CreateProcessA ( NULL, "cmd /c echo Y|CACLS "c:\users\xxx\appdata\roaming\16643456\dwm.exe" /P "xxx:R"", NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, 0x0012ec10, 0x0012ec00 )
Add Comment
Please, Sign In to add comment