SHARE
TWEET

#avemaria_rat_170220

VRad Feb 19th, 2020 (edited) 183 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #avemaria #rat #rtf #ole
  2.  
  3. https://pastebin.com/DCPutqaR
  4.  
  5. previous_contact:   n/a
  6.  
  7. FAQ:            https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria
  8.  
  9. attack_vector
  10. --------------
  11. email attach .RAR (RTF) > OLE > WINWORD/PowerShell GET1 > exe > inject > GET2 > C2
  12.  
  13. email_headers
  14. --------------
  15. n/a
  16.  
  17. files
  18. --------------
  19. SHA-256     a4463283f5a3ab502255c7fec9bee784ef59c60cfb6403c3e9fa70f2f8907002
  20. File name   PO.rar      [RAR archive data, v9, flags: Archive volume, Commented, Solid, os: OS/2]
  21. File size   21.17 KB (21679 bytes) 
  22.  
  23. SHA-256     c7cb63136bf492c95a8287d68d9c87bf691f61a78d5e5aa3d58330aa4994b14c
  24. File name   PO.rtf      [Rich Text Format data, version 1, unknown character set]
  25. File size   227.91 KB (233378 bytes)
  26.  
  27. SHA-256     cec74536b20d20fd5c2efa88ed6acd0b1dc30e3468b0210f77d3dc61e13be813
  28. File name   onedrive.exe (War.exe)      [PE32 executable for MS Windows (GUI) Intel 80386 32-bit]
  29. File size   56.00 KB (57344 bytes)
  30.  
  31. SHA-256     8a1d35e9d6a89dae14913e3a6f5cd1e076265200b6964a6b2c7525609a14e351
  32. File name   WAR000_encrypted_826437F.bin    [data]
  33. File size   101.06 KB (103488 bytes)
  34.  
  35.  
  36. activity
  37. **************
  38. PL_SCR      111.90.146.85      
  39.  
  40. C2      79.134.225.103:5216
  41.  
  42.  
  43. netwrk
  44. --------------
  45. [http]
  46. 111.90.146.85   GET /War.exe HTTP/1.1   Mozilla/4.0
  47.  
  48. [ssl]
  49. 172.217.16.14   drive.google.com                Client Hello
  50. 216.58.215.97   doc-0o-a0-docs.googleusercontent.com        Client Hello
  51.  
  52. https://drive.google.com/uc?export=download&id=1MH7ScDeCxiVx_HqUd0pCXym7fK2nwhw0
  53.        
  54. https://doc-0o-a0-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/b20lm8o33hdvcadejmau7msvqvalgj7d/1582110000000/02764085834106481668/*/1MH7ScDeCxiVx_HqUd0pCXym7fK2nwhw0?e=download
  55.  
  56.  
  57. comp
  58. --------------
  59. WINWORD.EXE 3124    TCP localhost   52482   111.90.146.85   80  ESTABLISHED
  60. ieinstal.exe    3284    TCP localhost   52484   216.58.215.97   443 ESTABLISHED
  61. ieinstal.exe    3284    TCP localhost   52483   172.217.16.14   443 ESTABLISHED
  62. ieinstal.exe    3284    TCP localhost   52487   79.134.225.103  5216    SYN_SENT
  63.    
  64.  
  65. proc
  66. --------------
  67. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
  68. C:\ProgramData\War.exe
  69. C:\Program Files (x86)\internet explorer\ieinstal.exe | C:\Users\operator\Desktop\War.exe
  70.  
  71.  
  72. persist
  73. --------------
  74. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce              17.02.2020 1:08
  75. Startup key KDEBREVEVA  commensur  
  76. c:\users\operator\subfolder1\onedrive.exe                   25.04.2008 0:48
  77.  
  78.  
  79. drop
  80. --------------
  81. C:\ProgramData\War.exe
  82. C:\ProgramData\hrjytrj.cmd  | data%\War.exe
  83. C:\Users\operator\subfolder1\OneDrive.exe
  84.  
  85. # # #
  86. RAR
  87. https://www.virustotal.com/gui/file/a4463283f5a3ab502255c7fec9bee784ef59c60cfb6403c3e9fa70f2f8907002/details
  88. RTF
  89. https://www.virustotal.com/gui/file/c7cb63136bf492c95a8287d68d9c87bf691f61a78d5e5aa3d58330aa4994b14c/details
  90. URL
  91. https://www.virustotal.com/gui/url/f67dcc537c121cb573d4367bca2bddb0bcac2d88d4af2d56e60df93758221038/details
  92. EXE
  93. https://www.virustotal.com/gui/file/cec74536b20d20fd5c2efa88ed6acd0b1dc30e3468b0210f77d3dc61e13be813/details
  94. https://analyze.intezer.com/#/analyses/6ed63295-54de-4f53-a496-8aa8f4634a27
  95.  
  96. data
  97. https://www.virustotal.com/gui/file/8a1d35e9d6a89dae14913e3a6f5cd1e076265200b6964a6b2c7525609a14e351/details
  98.  
  99. VR
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top