Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #nanocore #RAT #11882
- https://pastebin.com/e5f24Y8F
- FAQ: https://krebsonsecurity.com/2018/02/bot-roundup-avalanche-kronos-nanocore/
- attack_vector
- --------------
- email attach .xlsx > 11882 > EQNEDT32 > GET 1 URL > AppData\Roaming\QJK.exe
- email_headers
- --------------
- Received: from yahoo.com ([37.49.225.98])
- by srv8.victim1.com for <user0@victim1.com>;
- (envelope-from rainbow_indusry13@yahoo.com)
- From: =?UTF-8?B?VmlrdG9yIETDvHN0ZXI=?= <duester@helit.de>
- To: user0@victim1.com
- Subject: New Order
- Date: 07 Jan 2019 09:09:28 -0800
- files
- --------------
- SHA-256 4fb7500ef550996650a4b9e5fdc0ccecac71a5e45a5141d5238e8fe42fbf81c1
- File name 20424035-12136.xlsx [Microsoft Excel 2007+]
- File size 151.48 KB
- SHA-256 75cce79dac2daa0a8e1bec07c67d5d80e4da256e4c5c370c3896f2c7498316ca
- File name GID.exe [PE32 executable (GUI) Intel 80386, for MS Windows]
- File size 497.84 KB
- activity
- **************
- PL_SC h11p:\ bellstonehitech{.} net/Old/GID.exe
- C2 194.5.99.5
- netwrk
- --------------
- 162.215.253.210 bellstonehitech{.} net GET /Old/GID.exe HTTP/1.1 Mozilla/4.0
- comp
- --------------
- EQNEDT32.EXE 2456 TCP 162.215.253.210 80 ESTABLISHED
- QJK.exe 4036 TCP 194.5.99.5 2017 SYN_SENT
- proc
- --------------
- "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
- C:\Users\operator\AppData\Roaming\QJK.exe
- persist
- --------------
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 09.01.2019 9:02
- ARP Service Lachrymatory
- c:\users\operator\appdata\roaming\9907dcbd-0284-49da-87e9-3f380347acb7\arp service\arpsv.exe 29.07.2004 4:00
- drop
- --------------
- C:\Users\operator\AppData\Roaming\QJK.exe
- C:\Users\operator\AppData\Roaming\9907DCBD-0284-49DA-87E9-3F380347ACB7\run.dat
- C:\Users\operator\AppData\Roaming\9907DCBD-0284-49DA-87E9-3F380347ACB7\Logs\operator\KB_51995750.dat
- C:\Users\operator\AppData\Roaming\9907DCBD-0284-49DA-87E9-3F380347ACB7\ARP Service\arpsv.exe
- # # #
- https://www.virustotal.com/#/file/4fb7500ef550996650a4b9e5fdc0ccecac71a5e45a5141d5238e8fe42fbf81c1/details
- https://www.virustotal.com/#/file/75cce79dac2daa0a8e1bec07c67d5d80e4da256e4c5c370c3896f2c7498316ca/details
- https://analyze.intezer.com/#/analyses/52a05ad8-5f93-45c4-9482-6a6653471a10
- VR
- @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement