SHARE
TWEET

#fareit_060220

VRad Feb 7th, 2020 (edited) 299 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #fareit #pony #RARv5
  2.  
  3. https://pastebin.com/dUhmp5xk
  4.  
  5. previous_contact:
  6. 20/09/19    https://pastebin.com/nDTPH9DF
  7. 27/02/19    https://pastebin.com/wyRGBXfj
  8. 18/10/18    https://pastebin.com/u0D14L5r
  9.  
  10. FAQ:
  11. https://radetskiy.wordpress.com/?s=fareit
  12.  
  13. attack_vector
  14. --------------
  15. email attach .001 (RARv5) > EXE > %Temp%\Oplata po kontraktu chetverg.exe
  16.  
  17. email_headers
  18. --------------
  19. n/a
  20.  
  21. files
  22. --------------
  23. SHA-256     4adc1bc6d3d9320ca72582dab93565d23a827177dfb023db9dc6543b363831cd
  24. File name   Oplata po kontraktu chetverg.001    [RAR archive data, vf8, os: Unix]  
  25. File size   54.35 KB (55652 bytes)
  26.  
  27. SHA-256     543f604d946d384aa5dc3c9eaf1016125376cff237a73e6f04bd5891f3f62e36
  28. File name   Oplata po kontraktu chetverg.exe (Служебн.записка на 06.02.exe)
  29. File size   113.00 KB (115712 bytes)        [PE32 executable (GUI) Intel 80386, for MS Windows]
  30.  
  31. SHA-256     6ab32315f6d5f1e5da3b340cf45b8445ff6eb791b1edfbfc4bbd887637904038
  32. File name   viewtopic.php
  33. File size   97.00 KB (99328 bytes)
  34.  
  35. activity
  36. **************
  37. PL_SCR      attached RAR
  38.  
  39. C2      195.123.234.158
  40.  
  41. + Collects information about installed applications
  42. + Attempts to access Bitcoin/ALTCoin wallets
  43. + Harvests credentials from local FTP client softwares
  44. + Harvests information related to installed mail clients
  45.  
  46. netwrk
  47. --------------
  48. [ssl]
  49. 104.16.54.3     blockchain.info
  50.  
  51. [http]
  52. 195.123.234.158 GET /viewtopic.php?f576=... HTTP/1.1    WinHttp.WinHttpRequest.5.1
  53. 195.123.234.158 POST /p/g_38472341.php      HTTP/1.0    Mozilla/4.0
  54. 195.123.234.158 POST /p/g_38472341.php      HTTP/1.0    Mozilla/4.0
  55.  
  56. comp
  57. --------------
  58. Oplata po kontraktu chetverg.exe    2552    TCP localhost   52468   104.16.54.3 443 ESTABLISHED
  59. Oplata po kontraktu chetverg.exe    2552    TCP localhost   52469   195.123.234.158 80  ESTABLISHED
  60.  
  61. proc
  62. --------------
  63. C:\Users\operator\Desktop\Oplata po kontraktu chetverg.exe
  64. C:\Users\operator\Desktop\Oplata po kontraktu chetverg.exe dfsr
  65. C:\Windows\system32\cmd.exe /c ping 127.0.0.1 & del /F /Q "C:\Users\operator\Desktop\Oplata po kontraktu chetverg.exe
  66. C:\Windows\system32\PING.EXE 127.0.0.1
  67.  
  68. persist
  69. --------------
  70. no persist, remove itself (!)
  71.  
  72. drop
  73. --------------
  74. C:\Users\operator\Desktop\Oplata po kontraktu chetverg.exe
  75.  
  76. # # #
  77. https://www.virustotal.com/gui/file/4adc1bc6d3d9320ca72582dab93565d23a827177dfb023db9dc6543b363831cd/details
  78.  
  79. https://www.virustotal.com/gui/file/543f604d946d384aa5dc3c9eaf1016125376cff237a73e6f04bd5891f3f62e36/details
  80.  
  81. https://analyze.intezer.com/#/analyses/91e44f44-fdd3-4db1-a143-0b27d592839c
  82.  
  83. https://www.virustotal.com/gui/file/6ab32315f6d5f1e5da3b340cf45b8445ff6eb791b1edfbfc4bbd887637904038/details
  84.  
  85. VR
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top