Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #DBatLoader #TeamSpy #TVRAT #teamviewer #rat
- https://pastebin.com/qJJ0FP7N
- previous_contact:
- 01/02/19 https://pastebin.com/mxZdTDsp
- FAQ:
- https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader
- https://malpedia.caad.fkie.fraunhofer.de/details/win.teamspy
- attack_vector
- --------------
- email attach .zip > .7z > .rar (multi) > .rar (pwd) > .pdf.exe > .msi > AcroRd.exe > C2
- # # # # # # # #
- email_headers
- # # # # # # # #
- Date: Wed, 21 Aug 2024 14:20:39 +0300
- From: Устименко Клавдія Левівна <ukrgas @gmail _com>
- Subject: Документи на підпис ТОВ "УКР ГАЗ РЕСУРС" до 01.09.24
- Reply-To: "public @cip _gov _ua" <public @cip _gov _ua>
- Received: from pizza -ct -smtp -03 _virtualhosting _hk ([45 _121 _199 _161])
- Received: from uhm219 _servercolo _hk (unknown [203 _135 _134 _164])
- Received: from unknown (HELO WIN -LCETV91VPS6) (test @lbsgroup _com _cn @[193 _33 _153 _88])
- # # # # # # # #
- files
- # # # # # # # #
- SHA-256 130ea8caec2791391ea4158b72b5780258052aadf2166c4394fcf7fe405dc1f2
- File name scan_docs_023747_medoc.zip
- File size 10.68 MB (11199366 bytes)
- SHA-256 b111ea050b12e846fb02f8542e69bc4b2e062bbe97e79fec9e00e62ce0c92323
- File name Документи.7z
- File size 10.68 MB (11198898 bytes)
- SHA-256 ecda819c9310673f61be9eba59d57517488131859359378c955ca902014d00a2
- File name Документи.part1.rar
- File size 4.00 MB (4194304 bytes)
- SHA-256 860759b71749e09f9bebf0b8148dd7658c902197f34caedb067806f550ed8af2
- File name Документи.part2.rar
- File size 4.00 MB (4194304 bytes)
- SHA-256 f721239ef73d2b9b9ee780cc27cf7db18e38c0a76e3943e4ab251843a34f7184
- File name Документи.part3.rar
- File size 2.49 MB (2612628 bytes)
- SHA-256 9365d958675a4656eddfcdbed058a006a46d447e3575c2a1f6f5c926c0d89be5
- File name Документи.rar
- File size 10.21 MB (10708798 bytes)
- SHA-256 dda723c5cd12c505c74c66391c9cf5cfaf8a7aab5fbaf5d0b8599a3a7650154c
- File name scan_9374673_Medoc.pdf.exe
- File size 10.27 MB (10771544 bytes)
- SHA-256 beffe9a402b7721009674866ad773008c90b6af543973abdfb81391af4eb7146
- File name AcroRd.exe
- File size 8.65 MB (9068720 bytes)
- # # # # # # # #
- activity
- # # # # # # # #
- PL_SCR bitbucket _org/ukgas/medoc/downloads/scan_docs_023747_medoc.zip
- C2 hostes _su 109 _120 _179 _182
- netwrk
- --------------
- 185 _40 _77 _118 id _xn --80akicokc0aablc _xn--p1ai 443 TLSv1.2 Client Hello (SNI=id _xn--80akicokc0aablc _xn--p1ai)
- 109 _120 _179 _182 hostes _su 80 HTTP GET /65iq/update.php?id=***&stat=*** HTTP/1.1 Mozilla/5.0 (MSIE 10.0)
- 188 _72 _76 _15 44444 TCP [TCP Keep-Alive] 51219 → 44444 [ACK] Seq=183 Ack=156 Win=64085 Len=1
- comp
- --------------
- AcroRd.exe 185 _40 _77 _118 443
- AcroRd.exe 188 _72 _76 _15 44444
- AcroRd.exe 109 _120 _179 _182 80
- AcroRd.exe 185 _40 _77 _118 443
- AcroRd.exe 185 _40 _76 _91 44444
- proc
- --------------
- C:\Users\User01\Downloads\files2108_1\5_scan_9374673_Medoc.pdf.exe
- C:\Users\User01\AppData\Local\Temp\is-LKIHR.tmp\5_scan_9374673_Medoc.pdf.tmp" /SL5="$F0940,10384029,125952,C:\Users\User01\Downloads\files2108_1\5_scan_9374673_Medoc.pdf.exe
- C:\Users\User01\Downloads\files2108_1\5_scan_9374673_Medoc.pdf.exe" /verysilent /password=n3xbi
- C:\Users\User01\AppData\Local\Temp\is-7PANK.tmp\5_scan_9374673_Medoc.pdf.tmp" /SL5="$100940,10384029,125952,C:\Users\User01\Downloads\files2108_1\5_scan_9374673_Medoc.pdf.exe" /verysilent /password=n3xbi
- C:\Windows\SysWOW64\msiexec.exe -i "C:\Users\User01\AppData\Local\Temp\is-KFMTQ.tmp\Acrobat.msi" -qn
- {another context}
- C:\Windows\system32\msiexec.exe /V
- C:\Windows\syswow64\MsiExec.exe -Embedding 84F4EC5730D3832467AB82B5DADF316C
- "C:\Users\User01\AppData\Local\Programs\Acrobat\Reader\AcroRd.exe"
- persist
- --------------
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Thu Aug 22 20:11:59 2024
- Adobe Ассистент 5 (Verified) SAFIB LLC C:\Users\User01\AppData\Local\Programs\Acrobat\Reader\AcroRd.exe Mon Jul 31 16:02:32 2023
- drop
- --------------
- \Users\User01\AppData\Local\Programs\Acrobat\Reader\AcroRd.exe
- # # # # # # # #
- additional info
- # # # # # # # #
- msi /password=n3xbi
- [config]
- AccessRules.DeviceLink&0
- tmpUserAccessRules.DeviceLink&0
- Main.Autorun&1
- Main.CloseButtonOperation&0
- Main.CheckUpdates&0
- Security.UseLocalSecuritySettings&0
- Security.DynPassKind&0
- Security.PassLifetime&0
- Security.CanWinAuth&1
- Security.AccessKind&1
- Security.CanWinLoginAnotherUser&1
- Security.CanWinLoginNotAdmin&1
- Security.DenyRemoteSettingsControl&0
- Security.DenyLockControls&0
- Security.UNCONTROLLED_ACCESS&1
- Log.ServerStoreTechLog&0
- Main.AWAYMODE_REQUIRED&1
- Main.LogsLifetime&1
- Main.LogsForMail2Support&1
- ProxySettings.UseKind&1
- ProxySettings.StoreUserAndPassw&1
- # # # # # # # #
- VT & Intezer
- # # # # # # # #
- https://www.virustotal.com/gui/url/a83b94d462c54967e0d3c7b78bc92c97a176b87376ee6b084515df2309aec55b/details
- https://www.virustotal.com/gui/file/130ea8caec2791391ea4158b72b5780258052aadf2166c4394fcf7fe405dc1f2/details
- https://www.virustotal.com/gui/file/b111ea050b12e846fb02f8542e69bc4b2e062bbe97e79fec9e00e62ce0c92323/details
- https://www.virustotal.com/gui/file/ecda819c9310673f61be9eba59d57517488131859359378c955ca902014d00a2/details
- https://www.virustotal.com/gui/file/860759b71749e09f9bebf0b8148dd7658c902197f34caedb067806f550ed8af2/details
- https://www.virustotal.com/gui/file/f721239ef73d2b9b9ee780cc27cf7db18e38c0a76e3943e4ab251843a34f7184/details
- https://www.virustotal.com/gui/file/9365d958675a4656eddfcdbed058a006a46d447e3575c2a1f6f5c926c0d89be5/details
- https://www.virustotal.com/gui/file/dda723c5cd12c505c74c66391c9cf5cfaf8a7aab5fbaf5d0b8599a3a7650154c/details
- https://www.virustotal.com/gui/file/beffe9a402b7721009674866ad773008c90b6af543973abdfb81391af4eb7146/details
- VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
