Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #js #WSH #lzh #Danabot #Banking #Trojan
- SHA-256 43ea493d699d91a97c396d822fd73fdb60581c0628ee00f44b6657d117cb9455
- File name Рахунки от 18.09.18p Пластикс-Украина.zip.lzh (LHarc 1.x/ARX archive data [lh0])
- File size 2.37 MB
- SHA-256 a4dd700679716fa87780c90e7d849ca473d2b643ad8644afab10b0728224ce41
- File name 18.09.2018.doc (CLEAN)
- File size 34 KB
- SHA-256 ed928077847f780af36a9198d1e3ef1c5b1dd17739a50d5560e1f2094435e9db
- File name 45.xls.js
- File size 2.33 MB
- cat 45.xls.js | grep -o "q.WriteText(h('[a-z0-9]*'));" | sed "s|q.WriteText(h('\(.*\)'));|\1|g" | tr -d '\r\n' | rax2 -s > out.bin ## thanks to @Racco42
- JS > EXE
- SHA-256 8853f604d7bd146fb18eb9a94ae417809865d9da1fbf9847eb05d1702d9b8f7b
- File name Tempa.exe
- File size 455.5 KB
- SHA-256 bb5520595a0bac6f55834e1e05eca80ea57ff18c03d0f4250d07b31227836e9a
- File name Loader_2018-09-19_09-38.exe
- File size 132.5 KB
- SHA-256 47b3151b520a34ccd7306d216a86e60d06504186cd8d2eb986eda192e47c41ba
- File size 1.61 MB
- Last analysis 2018-09-19 13:01:54 UTC
- SHA-256 7ee5206c758df0aaa019146d53f487ca9b0b1b0c79ef3b4dde557613a23f588d
- File name CCF81064.dll
- File size 2.53 MB
- act
- ------
- wscript.exe C:\Users\operator\Desktop\45.xls.js
- "C:\Users\support\AppData\Local\Tempa.exe"
- C:\Windows\system32\rundll32.exe C:\Users\support\AppData\Local\Tempa.dll,f1 C:\Users\support\AppData\Local\Tempa.exe
- C:\Windows\system32\rundll32.exe C:\PROGRA~3\CCF81016\CCF81064.dll,f1 C:\Users\support\AppData\Local\Tempa.dll
- C:\Windows\system32\rundll32.exe C:\PROGRA~3\CCF81016\CCF81064.dll,f1 C:\Users\support\AppData\Local\Tempa.dll
- C:\Windows\system32\svchost.exe -k LocalService
- C:\Windows\\syswow64\rundll32.exe C:\PROGRA~3\CCF81016\CCF81032.DLL,f7
- C:\Windows\system32\RUNDLL32.EXE C:\PROGRA~3\CCF81016\CCF81064.DLL,f7
- C:\Windows\\syswow64\rundll32.exe C:\PROGRA~3\CCF81016\CCF81032.DLL,f5 759CBB3E1B883BDCA23E9052462F641E
- C:\Windows\\syswow64\rundll32.exe C:\PROGRA~3\CCF81016\CCF81032.DLL,f5 E0FBBC92DB9927BFC474A64DF4F9C22F
- C:\Windows\system32\RUNDLL32.EXE C:\PROGRA~3\CCF81016\CCF81064.DLL,f5 D0C851FBCA030928B535FAF3188DAFBA
- C:\tmp\Loader_2018-09-19_09-38.exe
- C:\Windows\\syswow64\rundll32.exe C:\PROGRA~3\CCF81016\CCF81032.DLL,f4 92A1097D7E8F836DB3A4ABAC9BDCCC5D
- open_connect
- ------------
- rundll32.exe 536 TCP 45.77.51.69 443 ESTABLISHED
- svchost.exe 2412 TCP 207.88.153.20 443 SYN_SENT
- svchost.exe 2412 TCP 74.152.137.65 443 SYN_SENT
- [System Process] 0 49570 178.209.51.227 443 TIME_WAIT
- svchost.exe 2412 TCP 94.56.160.71 443 SYN_SENT
- contacted_IPs
- -------------
- 31.75.54.55
- 46.167.69.86
- 6.13.208.236
- 17.226.127.227
- 31.75.54.55
- 40.172.108.17
- 43.171.4.68
- 45.77.51.69
- 45.77.54.180
- 46.167.69.86
- 60.71.138.9
- 161.93.121.167
- 2.21.242.213
- 2.21.242.237
- 202.233.79.53
- persist
- --------
- CCF81016 Ведет наблюдение за системными событиями и уведомляет подписчиков системы событий COM+ об этих событиях. c:\programdata\ccf81016\ccf81064.dll 19.09.2018 13:58
- @Tempa
- service name: 13E95074
- service path: C:\Windows\system32\svchost.exe -k LocalService
- key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\13E95074\ImagePath
- data: C:\Windows\system32\svchost.exe -k LocalService
- key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\13E95074\Parameters\ServiceDll
- data: C:\PROGRA~3\13E95074\13E95064.DLL
- @Loader
- file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\surawciu.lnk
- file: C:\Users\user\AppData\Roaming\Microsoft\Windows\surawciu\reiijwjf.exe
- email_headers
- ---------------
- Received: from mx.fm.ukrtelecom.ua (mx.fm.ukrtelecom.ua [82.207.79.108]) by mailsrv.victim.com for <postmaster@victim.com>;
- Wed, 19 Sep 2018 12:17:10 +0300 (EEST)
- (envelope-from svarch@ukrpost.net)
- Received: from mail2.ukrpost.ua (mail2.ukrpost.ua [82.207.79.2])
- by mx.fm.ukrtelecom.ua with ESMTP id w8J7CE14010434-w8J7CE16010434; Wed, 19 Sep 2018 10:12:14 +0300
- Received: from [109.229.10.210] (helo=210-10-229-109.pppoe.langate.ua.10.229.109.in-addr.arpa)
- by mail2.ukrpost.ua with esmtpa (Exim 4.89)
- (envelope-from <svarch@ukrpost.net>)
- From: "=?utf-8?B?0K/QvdGH0YPQuiDQrtGA0ZbQuQ==?=" <svarch@ukrpost.net>
- Subject: =?utf-8?B?0L3QvtCy0YvQtSDRgNCw0YUgMTkuMDkuMTjRgA==?=
- To: "user1" <user1@victim.com>
- Reply-To: "=?utf-8?B?0K/QvdGH0YPQuiDQrtGA0ZbQuQ==?=" <visual-lutsk@ukr.net>
- Date: Wed, 19 Sep 2018 10:12:12 +0300
- # # #
- https://www.tgsoft.it/english/news_archivio_eng.asp?id=953
- https://myonlinesecurity.co.uk/danabot-delivered-via-fake-dpd-delivery-notification/
Add Comment
Please, Sign In to add comment