Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #nanocore #RAT #RTF #OLE #XLS #VBA
- https://pastebin.com/cSy68j5q
- previous_contact:
- 07/01/19 https://pastebin.com/e5f24Y8F
- FAQ: https://krebsonsecurity.com/2018/02/bot-roundup-avalanche-kronos-nanocore/
- attack_vector
- --------------
- email attach .doc (RTF) > OLE > 2 excel > macro_URLDownloadToFileA > GET 1 URL > .exe
- email_headers
- --------------
- Received: from bitrecall.com (mail.bitrecall.com [94.177.166.132])
- Received: from pec.it (unknown [184.164.139.195])
- From: Accounts <asp.srls@pec.it>
- To: user00@org88.victim0.com
- Subject: Re: Invoice payment
- Date: 25 Apr 2019 05:18:16 -0700
- files
- --------------
- SHA-256 6be4c966edc63f37f52fc3a935344f634a8bb064d97200a31c0a3d2459ceda26
- File name invoice and po.doc [Rich Text Format data, version 1, unknown character set]
- File size 290.43 KB (297400 bytes)
- two OLE from RTF:
- SHA-256 0637afed4d69d13579b0f046e8897d4559fd0c3a4d77be16e8d00b23f6c38500
- File name invoice and po.doc_object_00002904.bin [Composite Document File V2 Document, Little Endian, Os: Windows]
- File size 51 KB (52224 bytes)
- SHA-256 17abc93230013c514555b8c99fdc359aa73427d47b409d643dc2c6a7d20d8961
- File name invoice and po.doc_object_00021CCF.bin [Composite Document File V2 Document, Little Endian, Os: Windows]
- File size 51 KB (52224 bytes)
- payload:
- SHA-256 56f4a8947d55e20bc17f7e05dcc7484940c19845366c3e22ffa4f02e7cffd1cb
- File name stub[1].exe [PE32 executable (GUI) Intel 80386, for MS Windows]
- File size 521.87 KB (534392 bytes)
- activity
- **************
- PL_SRC 104.238.117.30 depedpasay{.} ph [ssl]
- C2 91.192.100.11 [ssl]
- netwrk
- --------------
- 104.238.117.30 depedpasay{.} ph Client Hello
- 91.192.100.11 49188 → 7077 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
- comp
- --------------
- EXCEL.EXE 220 TCP localhost 49185 104.238.117.30 443 ESTABLISHED
- EXCEL.EXE 220 TCP localhost 49186 13.107.4.50 80 ESTABLISHED
- stub[1].exe 224 TCP localhost 49188 91.192.100.11 7077 SYN_SENT
- proc
- --------------
- "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
- ...
- "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" -Embedding
- "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" -Embedding
- C:\tmp\stub[1].exe
- "C:\Program Files (x86)\Microsoft Office\Office12\excelcnv.exe" -Embedding
- persist
- --------------
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 09.05.2019 12:46
- ARP Service witneyer omnipotentiality
- c:\users\operator\appdata\roaming\9907dcbd-0284-49da-87e9-3f380347acb7\arp service\arpsv.exe 02.11.1993 13:41
- drop
- --------------
- C:\tmp\stub[1].exe
- C:\Users\operator\AppData\Roaming\9907DCBD-0284-49DA-87E9-3F380347ACB7\ARP Service\arpsv.exe
- # # #
- https://www.virustotal.com/gui/file/6be4c966edc63f37f52fc3a935344f634a8bb064d97200a31c0a3d2459ceda26/details
- https://www.virustotal.com/gui/file/0637afed4d69d13579b0f046e8897d4559fd0c3a4d77be16e8d00b23f6c38500/details
- https://www.virustotal.com/gui/file/17abc93230013c514555b8c99fdc359aa73427d47b409d643dc2c6a7d20d8961/details
- https://www.virustotal.com/gui/file/56f4a8947d55e20bc17f7e05dcc7484940c19845366c3e22ffa4f02e7cffd1cb/details
- https://analyze.intezer.com/#/analyses/7f554b60-55ba-48f7-b83c-750c6f31a756
- VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement