SHARE
TWEET

#xml_211218

VRad Dec 23rd, 2018 (edited) 382 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #hz #xml_rels
  2.  
  3. https://pastebin.com/NqSr9aMd
  4. FAQ:
  5.  
  6. attack_vector
  7. --------------
  8. email attach .docx > .xml.rels > GET a.uchi{.} moe/zmxyor.doc > 404
  9.  
  10. email_headers
  11. --------------
  12. Received: from xdtoilet.gq ([103.89.88.69])
  13.     by srv8.victim1.com for <user0@org7.victim1.com>;
  14.     Fri, 21 Dec 2018 07:28:03 +0200 (EET)
  15.     (envelope-from asherc@xdtoilet.gq)
  16. Reply-To: info4@xdtoilet.com
  17. From: Asher Clif <asherc@xdtoilet.gq>
  18. To: user0@org7.victim1.com
  19. Subject: Enquiry
  20. Date: 21 Dec 2018 13:19:03 -0800
  21. Disposition-Notification-To: darrenmaurice00@gmail.com
  22.  
  23. files
  24. --------------
  25. SHA-256 c80651ca9cd9d3a73371453684a6ee4bd46df23832c808668f7dd38fb87fa444
  26. File name   SAMPLE23142.docx
  27. File size   11.76 KB
  28.  
  29. activity
  30. **************
  31.  
  32. SAMPLE23142/word/_rels/document.xml.rels
  33.  
  34. https://a.uchi{.} moe/zmxyor.doc
  35.  
  36. netwrk
  37. --------------
  38. n/a
  39.  
  40. comp
  41. --------------
  42. WINWORD.EXE 1728    104.27.173.56   443 ESTABLISHED
  43.  
  44. proc
  45. --------------
  46. n/a
  47.  
  48. persist
  49. --------------
  50. n/a
  51.  
  52. drop
  53. --------------
  54. n/a
  55.  
  56. # # #
  57. https://www.virustotal.com/#/file/c80651ca9cd9d3a73371453684a6ee4bd46df23832c808668f7dd38fb87fa444/details
  58. https://www.virustotal.com/#/url/52683581774bbd6da0e628ddf065524300bcd527c94efb0a33709c3aaf8fcc35/details
  59.  
  60. VR
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top