Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Powershell Registry Malware
- explorer.exe opened --> mshta.exe which opened --> powershell.exe which opened --> regsvr32.exe
- which
- accessed startup\<random>.lnk
- accessed AppData\Local\<random>\<random>.bat
- Batch script TEXT : start "" "C:\Users\xxxxx\AppData\Local\<random>\<random>.77af
- accessed AppData\Roaming\<random>\<random>.77af049f3
- did http posts that successfully got out to the internet
- 23.5.169.12 port 80 (SEE BELOW) and many many other ips 38.18.245.106 , 48.215.246.159 , 186.150.30.244 , etc.
- accsessed cmd.exe
- Sample HTTP post (there were many like this)
- POST / HTTP/1.1
- Content-Type: application/x-www-form-urlencoded
- User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
- Host: 103.195.103.77
- Pragma: no-cache
- Content-Length: 380
- Connection: Keep-Alive
- X-BlueCoat-Via: b482d65b63647542
- <Redacted possibly base64 ish>XPGjOqUo7vk4UbnskbnCpIxmzmW+cIFdQZzQNNWHLdtBQ/fjsiMMzGt+lkAUAnHaNx9frGe/pUx765TqasgQLsveRynHeA7HE1+0jQ3ffN2F7C5osAF2O1Pb4f3g8YvC7AaM+xRJTproGQI1iJj2w6MH7FnqEmmkTiWcSXWv9oYJ/8ZEwnBjrMPS7uxP5DADpr4piOhsX0ZLyiGNgnZ2/NVQZB92XwpyV9ynxV8tWH6qXzT0GtCIBG9UvS+AnrvgLVm4AenLPwc+ZMldJVdU5K1/vECmRB7Buf3paVETRGRWoYrWYso/x2lYUkPAQJJI+MrITvCOmhhnlwUc0+aIatgx6tsNVYY5zhzJw
- ******
- More FROM @neonprimetime security
- http://pastebin.com/u/Neonprimetime
- https://www.virustotal.com/en/USER/neonprimetime/
- https://twitter.com/neonprimetime
- https://www.reddit.com/USER/neonprimetime
Add Comment
Please, Sign In to add comment