Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ====================================================================================================
- Reference:
- https://twitter.com/alex_lanstein/status/530430510968102912
- Vulnerability issue - Poodle - PLEASE READ.xls:
- a3342b92ec4b56d2759df54aec5661f7
- Extracted malicious VBA macro:
- f323d9a64ebecaca1604741b9a475591
- Downloads:
- 78ff589aa5e8e174ce66db4bf8c19d84
- Has expired/invalid certificate:
- LesTrast Import Softwares Ltd.1
- Validity
- Not Before: Nov 5 00:45:57 2014 GMT
- Not After : Nov 4 00:45:57 2016 GMT
- Subject: C=GA, ST=Estate Real, L=Concan, O=LesTrast Import Softwares Ltd., OU=Lestrust
- Connects to:
- http://sapard.ddns.net/
- http://leopard.gotdns.ch/
- http://prefetch.duia.pw/
- Meta-data
- ================================================================================
- File:acrord32.exe
- Size:200000 bytes
- Type:PE32 executable for MS Windows (GUI) Intel 80386 32-bit
- MD5: 78ff589aa5e8e174ce66db4bf8c19d84
- SHA1:4b4b15558b7fbb7302a8c217a5ee1e1691fcd37a
- ssdeep: 3072:UQzvt+Y5JoK7GmCMY7pdkNxiurjHdKheR2wgSeupRhVsTwtzd68tvoRYuBRqRV8p:UQzvt+TdwTdSeFxRZtB6uuH/HMj2j
- Date:0x545424AB [Sat Nov 1 00:09:15 2014 UTC]
- EP: 0x40414b .text 0/5
- CRC: Claimed: 0x3642d, Actual: 0x3642d
- Packers: Armadillo v1.71
- Tries to hide as:
- OriginalFilename
- bsplay.exe
- ProductName
- BSPlayer Pro v2.66
- Malware payload:
- infostealer
- Interesting strings:
- ComSpec
- WINDIR
- %s\system32\cmd.exe
- mozcrt19.dll
- sqlite3.dll
- nspr4.dll
- plc4.dll
- plds4.dll
- nssutil3.dll
- softokn3.dll
- nss3.dll
- Path=
- SOFTWARE\Mozilla\%s\
- CurrentVersion
- SOFTWARE\Mozilla\%s\%s\Main
- Install Directory
- mozutils.dll
- mozglue.dll
- mozsqlite3.dll
- %s\nss3.dll
- Mozilla Firefox
- APPDATA
- %s\Mozilla\Firefox\profiles.ini
- %s\Mozilla\Firefox\%s
- Mozilla Thunderbird
- %s\Thunderbird\profiles.ini
- %s\Thunderbird\%s
- SeaMonkey
- %s\Mozilla\SeaMonkey\profiles.ini
- %s\Mozilla\SeaMonkey\%s
- %s\signons.sqlite
- NSS_Init
- PK11_GetInternalKeySlot
- PK11_Authenticate
- NSSBase64_DecodeBuffer
- PK11SDR_Decrypt
- PK11_FreeSlot
- NSS_Shutdown
- sqlite3_open
- sqlite3_close
- sqlite3_prepare_v2
- sqlite3_step
- sqlite3_column_text
- select * from moz_logins
- %s\Opera\Opera\wand.dat
- %s\Opera\Opera\profile\wand.dat
- %s\.purple\accounts.xml
- <protocol>
- <name>
- <password>
- advapi32.dll
- CredEnumerateA
- CredFree
- WindowsLive:name=*
- Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
- Email
- POP3 User
- POP3 Server
- POP3 Password
- IMAP User
- IMAP Server
- IMAP Password
- HTTP User
- HTTP Server
- HTTP Password
- SMTP User
- SMTP Server
- SMTP Password
- %c%c%S
- abe2869f-9b47-4cd9-a358-c22904dba7f7
- Software\Microsoft\Internet Explorer\IntelliForms\Storage2
- index.dat
- History
- Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
- %s\Google\Chrome\User Data\Default\Login Data
- %s\Chromium\User Data\Default\Login Data
- localhost
- USERNAME
- Unknown
- kernel32.dll
- GetNativeSystemInfo
- SYSTEM\CurrentControlSet\Control\ProductOptions
- ProductType
- WINNT
- LANMANNT
- SERVERNT
- GlobalMemoryStatusEx
- WINDIR
- PATH
- SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
- SOFTWARE\Microsoft\Active Setup\Installed Components
- %s.Identifier
- %Rand%
- SOFTWARE\Microsoft\Active Setup\Installed Components\%s
- EOF
- ====================================================================================================
- @bartblaze
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement