Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #avemaria #rat #RAR #EXE
- https://pastebin.com/LV9NKUiy
- previous_contact:
- 17/02/20 https://pastebin.com/DCPutqaR
- FAQ: https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria
- attack_vector
- --------------
- email URL > .z(RAR) > exe > C2 > drop dll > dism > ...
- email_headers
- --------------
- Received: from slot0.brookvvoodcos.com (slot0.brookvvoodcos.com [45.95.170.152])
- From: Purchase A. S <info@brookvvoodcos.com>
- To: user00@victim77.com
- Subject: Re: New Supplier enquiry-PO/Contract Brookswoods
- Date: 20 Jul 2020 01:00:22 -0700
- Return-Path: info@brookvvoodcos.com
- files
- --------------
- SHA-256 5a458dda2000f0d7d0f5e821765933191f15bfabbff7618fc761ef37ba1f0398
- File name New Supplier inquiry 0720THAMZ_ doc.z [RAR archive data, v1d, os: Win32]
- File size 294.40 KB (301467 bytes)
- SHA-256 5da3ddb36051056f35b74336c9f548557bcfc118adf8a8f454124bc7a986b7f9
- File name New Supplier inquiry 0720THAMZ_ doc.exe [ .NET executable ]
- File size 762.97 KB (781280 bytes)
- activity
- **************
- PL_SCR
- https://onedrive.live.com/download?cid=1B9A2752AF248CE2&resid=1B9A2752AF248CE2%21109&authkey=AFxFOCOUl8etxDU
- C2
- 87.98.158.105:6080 [divine.awsmppl.com]
- netwrk
- --------------
- [tcp]
- 87.98.158.105 50071 → 6080
- comp
- --------------
- New Supplier inquiry 0720THAMZ_ doc.exe 4044 TCP 87.98.158.105 6080 ESTABLISHED
- proc
- --------------
- C:\Users\operator\Desktop\New Supplier inquiry 0720THAMZ_ doc.exe
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Get-MpPreference -verbose
- C:\Users\operator\Desktop\New Supplier inquiry 0720THAMZ_ doc.exe
- C:\Users\operator\Desktop\New Supplier inquiry 0720THAMZ_ doc.exe
- C:\Users\operator\Desktop\New Supplier inquiry 0720THAMZ_ doc.exe
- C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\pkgmgr.exe" /n:%temp%\ellocnak.xml
- "C:\Windows\SysWOW64\pkgmgr.exe" /n:%temp%\ellocnak.xml
- "C:\Windows\SysWOW64\dism.exe" /online /norestart /apply-unattend:"C:\Users\support\AppData\Local\Temp\ellocnak.xml"
- persist
- --------------
- n/a
- drop
- --------------
- C:\tmp\nss3.dll
- C:\tmp\msvcp140.dll
- C:\tmp\freebl3.dll
- C:\tmp\freebl3.dll
- C:\tmp\mozglue.dll
- C:\tmp\vcruntime140.dll
- C:\tmp\dismcore.dll
- C:\tmp\ellocnak.xml
- ellocnak.xml
- --------------
- <?xml version="1.0" encoding="utf-8"?>
- <unattend xmlns="urn:schemas-microsoft-com:unattend">
- <servicing>
- <package action="install">
- <assemblyIdentity name="Package_1_for_KB929761" version="6.0.1.1" language="neutral" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35"/>
- <source location="%configsetroot%\Windows6.0-KB929761-x86.CAB" />
- </package>
- </servicing>
- </unattend>
- # # #
- URL
- https://www.virustotal.com/gui/url/575fe79e424c56a9366f7bbfd821caa5e052ee46f8bfb15b0da6295eef0ceaba/details
- RAR
- https://www.virustotal.com/gui/file/5a458dda2000f0d7d0f5e821765933191f15bfabbff7618fc761ef37ba1f0398/details
- EXE
- https://www.virustotal.com/gui/file/5da3ddb36051056f35b74336c9f548557bcfc118adf8a8f454124bc7a986b7f9/details
- https://analyze.intezer.com/analyses/5d1b6409-beaf-4714-87ff-af387246ebc5
- VR
Add Comment
Please, Sign In to add comment