SHARE
TWEET

#Danabot_banker_190918

VRad Sep 19th, 2018 (edited) 184 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #js #WSH #lzh #Danabot #Banking #Trojan
  2.  
  3. SHA-256 43ea493d699d91a97c396d822fd73fdb60581c0628ee00f44b6657d117cb9455
  4. File name   Рахунки от 18.09.18p Пластикс-Украина.zip.lzh (LHarc 1.x/ARX archive data [lh0])
  5. File size   2.37 MB
  6.  
  7. SHA-256 a4dd700679716fa87780c90e7d849ca473d2b643ad8644afab10b0728224ce41
  8. File name   18.09.2018.doc (CLEAN)
  9. File size   34 KB
  10.  
  11. SHA-256 ed928077847f780af36a9198d1e3ef1c5b1dd17739a50d5560e1f2094435e9db
  12. File name   45.xls.js
  13. File size   2.33 MB
  14.  
  15. cat 45.xls.js | grep -o "q.WriteText(h('[a-z0-9]*'));" | sed "s|q.WriteText(h('\(.*\)'));|\1|g" | tr -d '\r\n' | rax2 -s > out.bin ## thanks to @Racco42
  16.  
  17. JS > EXE
  18.  
  19. SHA-256 8853f604d7bd146fb18eb9a94ae417809865d9da1fbf9847eb05d1702d9b8f7b
  20. File name   Tempa.exe
  21. File size   455.5 KB
  22.  
  23. SHA-256 bb5520595a0bac6f55834e1e05eca80ea57ff18c03d0f4250d07b31227836e9a
  24. File name   Loader_2018-09-19_09-38.exe
  25. File size   132.5 KB
  26.  
  27. SHA-256 47b3151b520a34ccd7306d216a86e60d06504186cd8d2eb986eda192e47c41ba
  28. File size   1.61 MB
  29. Last analysis   2018-09-19 13:01:54 UTC
  30.  
  31. SHA-256 7ee5206c758df0aaa019146d53f487ca9b0b1b0c79ef3b4dde557613a23f588d
  32. File name   CCF81064.dll
  33. File size   2.53 MB
  34.  
  35. act
  36. ------
  37. wscript.exe  C:\Users\operator\Desktop\45.xls.js
  38. "C:\Users\support\AppData\Local\Tempa.exe"
  39. C:\Windows\system32\rundll32.exe C:\Users\support\AppData\Local\Tempa.dll,f1 C:\Users\support\AppData\Local\Tempa.exe
  40. C:\Windows\system32\rundll32.exe C:\PROGRA~3\CCF81016\CCF81064.dll,f1 C:\Users\support\AppData\Local\Tempa.dll
  41. C:\Windows\system32\rundll32.exe C:\PROGRA~3\CCF81016\CCF81064.dll,f1 C:\Users\support\AppData\Local\Tempa.dll
  42.  
  43. C:\Windows\system32\svchost.exe -k LocalService
  44. C:\Windows\\syswow64\rundll32.exe C:\PROGRA~3\CCF81016\CCF81032.DLL,f7
  45. C:\Windows\system32\RUNDLL32.EXE C:\PROGRA~3\CCF81016\CCF81064.DLL,f7
  46. C:\Windows\\syswow64\rundll32.exe C:\PROGRA~3\CCF81016\CCF81032.DLL,f5 759CBB3E1B883BDCA23E9052462F641E
  47. C:\Windows\\syswow64\rundll32.exe C:\PROGRA~3\CCF81016\CCF81032.DLL,f5 E0FBBC92DB9927BFC474A64DF4F9C22F
  48. C:\Windows\system32\RUNDLL32.EXE C:\PROGRA~3\CCF81016\CCF81064.DLL,f5 D0C851FBCA030928B535FAF3188DAFBA
  49. C:\tmp\Loader_2018-09-19_09-38.exe
  50. C:\Windows\\syswow64\rundll32.exe C:\PROGRA~3\CCF81016\CCF81032.DLL,f4 92A1097D7E8F836DB3A4ABAC9BDCCC5D
  51.  
  52. open_connect
  53. ------------
  54.  
  55. rundll32.exe    536 TCP 45.77.51.69 443 ESTABLISHED
  56. svchost.exe 2412    TCP 207.88.153.20   443 SYN_SENT
  57. svchost.exe 2412    TCP 74.152.137.65   443 SYN_SENT
  58. [System Process]    0   49570   178.209.51.227  443 TIME_WAIT
  59. svchost.exe 2412    TCP 94.56.160.71    443 SYN_SENT
  60.  
  61. contacted_IPs
  62. -------------
  63. 31.75.54.55
  64. 46.167.69.86
  65. 6.13.208.236
  66. 17.226.127.227
  67. 31.75.54.55
  68. 40.172.108.17
  69. 43.171.4.68
  70. 45.77.51.69
  71. 45.77.54.180
  72. 46.167.69.86
  73. 60.71.138.9
  74. 161.93.121.167
  75. 2.21.242.213
  76. 2.21.242.237
  77. 202.233.79.53
  78.  
  79. persist
  80. --------
  81. CCF81016    Ведет наблюдение за системными событиями и уведомляет подписчиков системы событий COM+ об этих событиях.      c:\programdata\ccf81016\ccf81064.dll    19.09.2018 13:58
  82.  
  83. @Tempa
  84. service name: 13E95074
  85. service path: C:\Windows\system32\svchost.exe -k LocalService
  86. key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\13E95074\ImagePath
  87. data: C:\Windows\system32\svchost.exe -k LocalService
  88. key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\13E95074\Parameters\ServiceDll
  89. data: C:\PROGRA~3\13E95074\13E95064.DLL
  90.  
  91. @Loader
  92. file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\surawciu.lnk
  93. file: C:\Users\user\AppData\Roaming\Microsoft\Windows\surawciu\reiijwjf.exe
  94.  
  95. email_headers
  96. ---------------
  97.  
  98. Received: from mx.fm.ukrtelecom.ua (mx.fm.ukrtelecom.ua [82.207.79.108]) by mailsrv.victim.com for <postmaster@victim.com>;
  99. Wed, 19 Sep 2018 12:17:10 +0300 (EEST)
  100. (envelope-from svarch@ukrpost.net)
  101. Received: from mail2.ukrpost.ua (mail2.ukrpost.ua [82.207.79.2])
  102.     by mx.fm.ukrtelecom.ua with ESMTP id w8J7CE14010434-w8J7CE16010434; Wed, 19 Sep 2018 10:12:14 +0300
  103. Received: from [109.229.10.210] (helo=210-10-229-109.pppoe.langate.ua.10.229.109.in-addr.arpa)
  104.     by mail2.ukrpost.ua with esmtpa (Exim 4.89)
  105.     (envelope-from <svarch@ukrpost.net>)
  106. From: "=?utf-8?B?0K/QvdGH0YPQuiDQrtGA0ZbQuQ==?=" <svarch@ukrpost.net>
  107. Subject: =?utf-8?B?0L3QvtCy0YvQtSDRgNCw0YUgMTkuMDkuMTjRgA==?=
  108. To: "user1" <user1@victim.com>
  109. Reply-To: "=?utf-8?B?0K/QvdGH0YPQuiDQrtGA0ZbQuQ==?=" <visual-lutsk@ukr.net>
  110. Date: Wed, 19 Sep 2018 10:12:12 +0300
  111.  
  112. # # #
  113. https://www.tgsoft.it/english/news_archivio_eng.asp?id=953
  114. https://myonlinesecurity.co.uk/danabot-delivered-via-fake-dpd-delivery-notification/
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top