SHARE
TWEET

#nanocore_070119

VRad Jan 9th, 2019 (edited) 238 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #nanocore #RAT #11882
  2.  
  3. https://pastebin.com/e5f24Y8F
  4.  
  5. FAQ:    https://krebsonsecurity.com/2018/02/bot-roundup-avalanche-kronos-nanocore/
  6.  
  7. attack_vector
  8. --------------
  9. email attach .xlsx > 11882 > EQNEDT32 > GET 1 URL > AppData\Roaming\QJK.exe
  10.  
  11. email_headers
  12. --------------
  13. Received: from yahoo.com ([37.49.225.98])
  14.     by srv8.victim1.com for <user0@victim1.com>;
  15.     (envelope-from rainbow_indusry13@yahoo.com)
  16. From: =?UTF-8?B?VmlrdG9yIETDvHN0ZXI=?= <duester@helit.de>
  17. To: user0@victim1.com
  18. Subject: New Order
  19. Date: 07 Jan 2019 09:09:28 -0800
  20.  
  21.  
  22. files
  23. --------------
  24. SHA-256 4fb7500ef550996650a4b9e5fdc0ccecac71a5e45a5141d5238e8fe42fbf81c1
  25. File name   20424035-12136.xlsx [Microsoft Excel 2007+]
  26. File size   151.48 KB
  27.  
  28. SHA-256 75cce79dac2daa0a8e1bec07c67d5d80e4da256e4c5c370c3896f2c7498316ca
  29. File name   GID.exe         [PE32 executable (GUI) Intel 80386, for MS Windows]
  30. File size   497.84 KB
  31.  
  32. activity
  33. **************
  34.  
  35. PL_SC   h11p:\ bellstonehitech{.} net/Old/GID.exe
  36.  
  37. C2  194.5.99.5
  38.  
  39. netwrk
  40. --------------
  41. 162.215.253.210 bellstonehitech{.} net  GET /Old/GID.exe HTTP/1.1   Mozilla/4.0
  42.  
  43. comp
  44. --------------
  45. EQNEDT32.EXE    2456    TCP 162.215.253.210 80  ESTABLISHED
  46. QJK.exe     4036    TCP 194.5.99.5  2017    SYN_SENT
  47.  
  48. proc
  49. --------------
  50. "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
  51. C:\Users\operator\AppData\Roaming\QJK.exe
  52.  
  53. persist
  54. --------------
  55. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run                      09.01.2019 9:02
  56. ARP Service Lachrymatory       
  57. c:\users\operator\appdata\roaming\9907dcbd-0284-49da-87e9-3f380347acb7\arp service\arpsv.exe    29.07.2004 4:00
  58.  
  59. drop
  60. --------------
  61. C:\Users\operator\AppData\Roaming\QJK.exe
  62. C:\Users\operator\AppData\Roaming\9907DCBD-0284-49DA-87E9-3F380347ACB7\run.dat
  63. C:\Users\operator\AppData\Roaming\9907DCBD-0284-49DA-87E9-3F380347ACB7\Logs\operator\KB_51995750.dat
  64. C:\Users\operator\AppData\Roaming\9907DCBD-0284-49DA-87E9-3F380347ACB7\ARP Service\arpsv.exe
  65.  
  66. # # #
  67. https://www.virustotal.com/#/file/4fb7500ef550996650a4b9e5fdc0ccecac71a5e45a5141d5238e8fe42fbf81c1/details
  68. https://www.virustotal.com/#/file/75cce79dac2daa0a8e1bec07c67d5d80e4da256e4c5c370c3896f2c7498316ca/details
  69. https://analyze.intezer.com/#/analyses/52a05ad8-5f93-45c4-9482-6a6653471a10
  70.  
  71. VR
  72.  
  73. @
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top