API tools faq
paste
VRad

#formbook_181120

VRad
Nov 19th, 2020 (edited)
193
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.53 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #frombook #RAR #EXE #RAT #stealer
  2.  
  3. https://pastebin.com/A3FeDAfG
  4.  
  5. previous_contact:
  6. 22/04/19 https://pastebin.com/1FMBBK3N
  7. 26/02/19 https://pastebin.com/yLu1cL9K
  8. 15/11/18 https://pastebin.com/VFG89LnT
  9. 14/11/18 https://pastebin.com/D6VPDyyz
  10.  
  11. FAQ:
  12.  
  13. attack_vector
  14. --------------
  15. email attach .r15 (RAR) > EXE > inject > explorer.exe
  16.  
  17. email_headers
  18. --------------
  19. Received: from transpro-logistics.com (unknown [103.99.1.159])
  20. From: [email protected]
  21. To: [email protected]
  22. Subject: RE: Invoice does not bear your Company's Bank details
  23. Date: 18 Nov 2020 03:20:02 -0800
  24.  
  25. files
  26. --------------
  27. SHA-256 6fc0deee590752312e04511e02b729e693d4c2816cb5a93f0602a565eb3aebd5
  28. File name Invoice.r15 [ RAR compressed archive (gen) (100%) ]
  29. File size 293.09 KB (300122 bytes)
  30.  
  31. SHA-256 091f6c53a4f73bdac192e08bda0459f5e8af953a3c2b5cdee175677301a8cef5
  32. File name Invoice.exe [ .NET executable ]
  33. File size 558.50 KB (571904 bytes)
  34.  
  35. SHA-256 54e170ab35e32ea8ae1f4b2f5ed8a3dc8530226d7a579843651ebc0c5b4431bc
  36. File name unpack1.exe [ .NET executable ]
  37. File size 210.00 KB (215040 bytes)
  38.  
  39. SHA-256 f1c8b375b9aaa998f98124b440f29391d60468ae6bcd9cb08f0f9e9024f21c49
  40. File name unpack2.exe [ .NET executable ]
  41. File size 181.00 KB (185344 bytes)
  42.  
  43. activity
  44. **************
  45. C2 alsagranit.info/rhk/ - 404
  46.  
  47. netwrk
  48. --------------
  49. 23.228.106.26 www.saimeisteel.com GET /rhk/?Y2sDANL=yKVLfmS1F5ASI1M2DogDev3sJN8Sb49JojbxyOZoWfbqe1Ea25CTMZyA8M69I71FHDzMzw==&bj=UTplG6hXL8ot HTTP/1.1 Continuation
  50. 125.209.230.216 www.rene-jew.com GET /rhk/?Y2sDANL=lK+ay6IXUMwmO+TXWTa3Ah9soIVoB+QIyQUvVlTmeD3tnOH3C3//MrAF+RhuD6FbQ8I84Q==&bj=UTplG6hXL8ot HTTP/1.1 Continuation
  51. 160.153.136.3 www.dfscapholdingsllc.com GET /rhk/?Y2sDANL=ccbYGnIu2Vdsb2WrlMejXBt3W1/koCucLbcuhimM0/beNvmIgE49iKOemaIwjeooS5kgNg==&bj=UTplG6hXL8ot HTTP/1.1 Continuation
  52. 35.242.251.130 www.globale.solutions GET /rhk/?Y2sDANL=k9RqvmJIJSZut3C2UdeSyblakawe0P7DtX4Hlwl9clrSAufssCVYNJVehOWR7ztk3KE92w==&bj=UTplG6hXL8ot HTTP/1.1 Continuation
  53. 34.102.136.180 www.kredit-goals.com GET /rhk/?Y2sDANL=QX1I6m/9vw0fHhrofFjDWrVCyabtoNrL8tWZSTJ00ijeg2DnNqoS9K8hYjmjAmjC1Im5tA==&bj=UTplG6hXL8ot HTTP/1.1 Continuation
  54. 156.241.53.234 www.lyoml.com GET /rhk/?Y2sDANL=znQHRpErKNS9HICxZ/b3l0zdgK7i+pZ3t7cwZgYdaRTEjjBjMnsdqzHdl2A0yRWEH9Ud0A==&bj=UTplG6hXL8ot HTTP/1.1 Continuation
  55. 208.91.197.27 www.primospicaduras.com GET /rhk/?Y2sDANL=sBUfWheW3mndBbC475+0udqadZ0IAyenb+i51akfEs323bptfJw0Yb1YFklvOen2TYnt7A==&bj=UTplG6hXL8ot HTTP/1.1 Continuation
  56. 104.27.179.164 www.dajiangzhibo11.com GET /rhk/?Y2sDANL=OP0rClg0VFbxmfEUd9c9kmH/VHtwci4jQKmhwLRoUJtYXC+qshEJ8T2Q453Md20C+TP5ew==&bj=UTplG6hXL8ot HTTP/1.1 Continuation
  57. 45.39.153.189 www.52wanlol.com GET /rhk/?Y2sDANL=UsCEj/FxpGXt/CqXbENDasFKOjMrWVkWoJRybGnwe+tiNMHwkEV6WPjWkSSYc2CkR0nWaA==&bj=UTplG6hXL8ot HTTP/1.1 Continuation
  58. 67.195.197.25 www.testcokes.com GET /rhk/?Y2sDANL=5f1v5cx0o1KKmbgtDgpGZ2MGcMCuj7O8lp1edf5Vmyg/7Ps6ccU7zKhW7/opcAn8ysxxKA==&bj=UTplG6hXL8ot HTTP/1.1 Continuation
  59.  
  60. comp
  61. --------------
  62. explorer.exe 23.228.106.26:80
  63. 125.209.230.216:80
  64. 35.242.251.130:80
  65. 34.102.136.180:80
  66. 156.241.53.234:80
  67. 208.91.197.27:80
  68. 104.27.179.164:80
  69. 45.39.153.189:80
  70. 67.195.197.25:80
  71.  
  72. proc
  73. --------------
  74. C:\Windows\Explorer.EXE
  75. C:\Users\oper\Desktop\Invoice.exe
  76. C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  77. C:\Users\oper\Desktop\Invoice.exe
  78. C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  79. C:\Windows\SysWOW64\svchost.exe
  80. C:\Windows\SysWOW64\chkdsk.exe
  81. cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  82.  
  83. persist
  84. --------------
  85. n/a
  86.  
  87. drop
  88. --------------
  89. n/a
  90.  
  91. # # #
  92. https://www.virustotal.com/gui/file/6fc0deee590752312e04511e02b729e693d4c2816cb5a93f0602a565eb3aebd5/details
  93. https://www.virustotal.com/gui/file/091f6c53a4f73bdac192e08bda0459f5e8af953a3c2b5cdee175677301a8cef5/details
  94. https://analyze.intezer.com/analyses/3376545c-49b4-47ee-b34e-77c7f58442e2
  95. https://www.virustotal.com/gui/file/54e170ab35e32ea8ae1f4b2f5ed8a3dc8530226d7a579843651ebc0c5b4431bc/details
  96. https://analyze.intezer.com/analyses/da4f1578-d88b-496f-82e0-5be9a177d7fa
  97. https://www.virustotal.com/gui/file/f1c8b375b9aaa998f98124b440f29391d60468ae6bcd9cb08f0f9e9024f21c49/details
  98. https://analyze.intezer.com/analyses/731dd62c-4bb7-4046-bd08-354f8c2e56b4
  99. https://www.unpac.me/results/2c5f612f-78a2-4f4d-9df4-47265f8da113
  100.  
  101. VR
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!