Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- found by @asset_island_
- email subject: New Order
- attachment: Order.pdf
- https://www.hybrid-analysis.com/sample/c6ecbf5a26b935d11e4b9683fef05cea473cc6bec18ae707dfabc1d77bbb07c7?environmentId=120
- link in pdf to: dropbox.com
- dropbox file downloads: zip with EXE inside
- https://www.reverse.it/sample/4f493b991de64939caf9ff4cc4bf357c449026bf5b023a46a34f1452b1453c45
- ----------
- keylogging to
- ----------
- C:\Users\xxxx\AppData\Roaming\9174B166-43EB-456B-8628-EF18D46933C5\Logs\xxxx\KB_11223367.dat
- ----------
- interesting in-memory strings
- ----------
- 0x3136a4 (144): file:///C:/Users/xxx/AppData/Local/Temp/ClientPlugin/ClientPlugin.EXE
- 0x328c94 (252): file:///C:/Users/xxx/AppData/Local/Temp/en-US/SurveillanceExClientPlugin.resources/SurveillanceExClientPlugin.resources.EXE
- 0x411f4d (21): NanoCore.ClientPlugin
- 0x411f8d (25): NanoCore.ClientPluginHost
- 0x1a838d8 (140): NanoCore Client, Version=1.2.2.0, Culture=neutral, PublicKeyToken=null
- 0x1ac2577 (11): NanoCore.My
- 0x1ac6b30 (42): PrimaryConnectionHost
- 0x1ac6b68 (38): wilfred123.ddns.net
- 0x1ac6b9c (40): BackupConnectionHost
- 0x1ac6bd4 (38): wilfred123.ddns.net
- 0x1acd938 (108): file:///C:/Users/xxx/AppData/Local/Temp/RegSvcs.exe
- 0x1acd9b4 (30): NanoCore Client
- 0x1b0dee4 (15): KeyboardLogging
- 0x1b0e444 (84): Plugin: SurveillanceEx Plugin, Cache: True
- 0x1b0e104 (192): C:\Users\xxx\AppData\Roaming\9174B166-43EB-456B-8628-EF18D46933C5\Logs\xxx\KB_11223367.dat
- 0x1b124b8 (80): Connecting to wilfred123.ddns.net:5794..
- 0x1b16444 (118): Resolved hostname 'wilfred123.ddns.net' to '105.112.98.108'
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
