SHARE
TWEET

#nanocore_250419

VRad May 10th, 2019 (edited) 276 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #nanocore #RAT #RTF #OLE #XLS #VBA
  2.  
  3. https://pastebin.com/cSy68j5q
  4.  
  5. previous_contact:
  6. 07/01/19    https://pastebin.com/e5f24Y8F
  7.  
  8. FAQ:        https://krebsonsecurity.com/2018/02/bot-roundup-avalanche-kronos-nanocore/
  9.  
  10. attack_vector
  11. --------------
  12. email attach .doc (RTF) > OLE > 2 excel > macro_URLDownloadToFileA > GET 1 URL > .exe
  13.  
  14. email_headers
  15. --------------
  16. Received: from bitrecall.com (mail.bitrecall.com [94.177.166.132])
  17. Received: from pec.it (unknown [184.164.139.195])
  18. From: Accounts <asp.srls@pec.it>
  19. To: user00@org88.victim0.com
  20. Subject: Re: Invoice payment
  21. Date: 25 Apr 2019 05:18:16 -0700
  22.  
  23. files
  24. --------------
  25. SHA-256     6be4c966edc63f37f52fc3a935344f634a8bb064d97200a31c0a3d2459ceda26
  26. File name   invoice and po.doc          [Rich Text Format data, version 1, unknown character set]
  27. File size   290.43 KB (297400 bytes)
  28.  
  29. two OLE from RTF:
  30.  
  31. SHA-256     0637afed4d69d13579b0f046e8897d4559fd0c3a4d77be16e8d00b23f6c38500
  32. File name   invoice and po.doc_object_00002904.bin  [Composite Document File V2 Document, Little Endian, Os: Windows]
  33. File size   51 KB (52224 bytes)
  34.  
  35. SHA-256     17abc93230013c514555b8c99fdc359aa73427d47b409d643dc2c6a7d20d8961
  36. File name   invoice and po.doc_object_00021CCF.bin  [Composite Document File V2 Document, Little Endian, Os: Windows]
  37. File size   51 KB (52224 bytes)    
  38.  
  39. payload:
  40.  
  41. SHA-256     56f4a8947d55e20bc17f7e05dcc7484940c19845366c3e22ffa4f02e7cffd1cb
  42. File name   stub[1].exe             [PE32 executable (GUI) Intel 80386, for MS Windows]
  43. File size   521.87 KB (534392 bytes)
  44.  
  45. activity
  46. **************
  47.  
  48. PL_SRC  104.238.117.30  depedpasay{.} ph    [ssl]
  49.  
  50. C2  91.192.100.11               [ssl]
  51.  
  52. netwrk
  53. --------------
  54. 104.238.117.30      depedpasay{.} ph    Client Hello
  55. 91.192.100.11       49188 → 7077 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
  56.  
  57. comp
  58. --------------
  59. EXCEL.EXE   220 TCP localhost   49185   104.238.117.30  443 ESTABLISHED
  60. EXCEL.EXE   220 TCP localhost   49186   13.107.4.50 80  ESTABLISHED
  61. stub[1].exe 224 TCP localhost   49188   91.192.100.11   7077    SYN_SENT
  62.  
  63. proc
  64. --------------
  65. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
  66. ...
  67. "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" -Embedding
  68. "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" -Embedding
  69. C:\tmp\stub[1].exe
  70. "C:\Program Files (x86)\Microsoft Office\Office12\excelcnv.exe" -Embedding
  71.  
  72. persist
  73. --------------
  74. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run                      09.05.2019 12:46   
  75. ARP Service witneyer    omnipotentiality   
  76. c:\users\operator\appdata\roaming\9907dcbd-0284-49da-87e9-3f380347acb7\arp service\arpsv.exe    02.11.1993 13:41
  77.  
  78. drop
  79. --------------
  80. C:\tmp\stub[1].exe
  81. C:\Users\operator\AppData\Roaming\9907DCBD-0284-49DA-87E9-3F380347ACB7\ARP Service\arpsv.exe
  82.  
  83. # # #
  84. https://www.virustotal.com/gui/file/6be4c966edc63f37f52fc3a935344f634a8bb064d97200a31c0a3d2459ceda26/details
  85. https://www.virustotal.com/gui/file/0637afed4d69d13579b0f046e8897d4559fd0c3a4d77be16e8d00b23f6c38500/details
  86. https://www.virustotal.com/gui/file/17abc93230013c514555b8c99fdc359aa73427d47b409d643dc2c6a7d20d8961/details
  87. https://www.virustotal.com/gui/file/56f4a8947d55e20bc17f7e05dcc7484940c19845366c3e22ffa4f02e7cffd1cb/details
  88. https://analyze.intezer.com/#/analyses/7f554b60-55ba-48f7-b83c-750c6f31a756
  89.  
  90. VR
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top