Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #GuLoader #CloudEyE #vbdropper #AgentTesla #Formbook #RemcosRAT
- https://pastebin.com/qyP694eD
- previous_contact:
- n/a
- FAQ:
- https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
- https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
- https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook
- https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
- attack_vector
- --------------
- email attach .xls > macro > get .doc(RTF) > equnedt32 (17-11882) > get .hta > powershell > get .exe > %temp%\IBM_Linixe.exe
- # # # # # # # #
- email_headers
- # # # # # # # #
- Received: from harbor.btroot.com ([88.209.206.60])
- From: Alexandra Popova <kathy@btroot.com>
- Subject: Статус заказов SLB 25.07.23
- Date: 25 Jul 2023 21:08:36 +0700
- Message-ID: <20230725210836.8CF56E3768CC68F7@btroot.com>
- # # # # # # # #
- files
- # # # # # # # #
- SHA-256 5ae0b1bc5c8c0eaa93f5e8c5542b7ed6ff7501e315945516187ca02905d631d9
- File name Статус заказов SLB 25.07.23.xls [MS Excel Spreadsheet]
- File size 665.50 KB (681472 bytes)
- SHA-256 8e32b8fdc7c08414a82662fa1a6e0c92a1332631c60e96760a6dec9f3fe07978
- File name CMSHCMSHCMSHCMSHCMSHCMSH##################CMSHCMSHCMSHCMSHCMSH.DOC [RTF 2017-11882]
- File size 24.94 KB (25537 bytes)
- SHA-256 1de623c954d1ff0415969724740aa5809b0745c0d07da5d1549a54816745b751
- File name CMSh.hta (IE_Networks.hta)
- File size 9.03 KB (9250 bytes)
- SHA-256 fc423870796dff42517d1695ac87a45b54e52f18a76184ea31f64ec778f80348
- File name wininit.exe (IBM_Linixe.exe) [PE32 executable, Nullsoft Installer self-extracting archive]
- File size 502.32 KB (514376 bytes)
- # # # # # # # #
- activity
- # # # # # # # #
- PL_SCR http://192.3.243{.} 146/ibi/cmsh/CMSHCMSHCMSHCMSHCMSHCMSH%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23CMSHCMSHCMSHCMSHCMSH.DOC
- http://192.3.243{.} 146/ibi/CMSh.hta
- https://103.16.215{.} 196/M247T/wininit.exe
- (!) update_27/07/23
- 192.3.243{.} 146 on URLhaus Database https://urlhaus.abuse.ch/host/192.3.243.146/
- 192.3.243{.} 146 on MalwareBazaar Database https://bazaar.abuse.ch/browse/tag/192-3-243-146/
- C2 n/a
- netwrk
- --------------
- 192.3.243.146 80 HTTP GET /ibi/cmsh/CMSHCMSHCMSHCMSHCMSHCMSH%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23CMSHCMSHCMSHCMSHCMSH.DOC HTTP/1.1 Mozilla/4.0
- 192.3.243.146 80 HTTP HEAD /ibi/cmsh/CMSHCMSHCMSHCMSHCMSHCMSH%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23CMSHCMSHCMSHCMSHCMSH.DOC HTTP/1.1 Microsoft Office Existence Discovery
- 192.3.243.146 80 HTTP GET /ibi/CMSh.hta HTTP/1.1 Mozilla/4.0
- 103.16.215.196 80 HTTP GET /M247T/wininit.exe HTTP/1.1 Mozilla/5.0 (Windows NT; Windows NT 6.1; uk-UA) WindowsPowerShell/5.1.14409.1005
- comp
- --------------
- EXCEL.EXE 2308 TCP 192.3.243.146 80 ESTABLISHED
- svchost.exe 828 TCP 192.3.243.146 80 ESTABLISHED
- WINWORD.EXE 4716 TCP 192.3.243.146 80 ESTABLISHED
- proc
- --------------
- "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" /e
- {other context}
- "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" -Embedding
- C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
- "C:\Windows\SysWOW64\mshta.exe" "C:\tmp\IE_Networks.hta"
- "C:\Windows\systEm32\WinDOwspowERSHeLl\v1.0\poWERsHelL.EXE" "PowershELl -EX BypASS -nop -w 1 -ec IAAgAAkA...AB0g "
- "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX BypASS -nop -w 1 -ec IAAgAAkA...AB0g
- "C:\tmp\IBM_Linixe.exe"
- persist
- --------------
- n/a
- drop
- --------------
- Статус заказов SLB 25.07.23.xls
- CMSHCMSHCMSHCMSHCMSHCMSH##################CMSHCMSHCMSHCMSHCMSH[1].doc
- CMSh[1].hta [IE_Networks.hta]
- wininit.exe [IBM_Linixe.exe]
- # # # # # # # #
- additional info
- # # # # # # # #
- xls_metadata
- --------------
- File Name : Статус заказов SLB 25.07.23.xls
- Directory : .
- File Size : 666 KiB
- File Modification Date/Time : 2023:07:26 10:47:00+03:00
- File Access Date/Time : 2023:07:26 11:06:39+03:00
- File Inode Change Date/Time : 2023:07:26 11:06:00+03:00
- File Permissions : -rw-rw-rw-
- File Type : XLS
- File Type Extension : xls
- MIME Type : application/vnd.ms-excel
- Author :
- Last Modified By :
- Software : Microsoft Excel
- Create Date : 2006:09:16 00:00:00
- Modify Date : 2023:07:24 16:31:35
- Security : Password protected
- Code Page : Windows Latin 1 (Western European)
- App Version : 12.0000
- Scale Crop : No
- Links Up To Date : No
- Shared Doc : No
- Hyperlinks Changed : No
- Title Of Parts : Sheet1, Sheet2, Sheet3
- Heading Pairs : Worksheets, 3
- Comp Obj User Type Len : 38
- Comp Obj User Type : Microsoft Office Excel 2003 Worksheet
- doc(rtf)_metadata
- --------------
- File Name : CMSHCMSHCMSHCMSHCMSHCMSH##################CMSHCMSHCMSHCMSHCMSH.DOC
- Directory : .
- File Size : 25 KiB
- File Modification Date/Time : 2023:07:26 10:38:09+03:00
- File Access Date/Time : 2023:07:26 10:43:44+03:00
- File Inode Change Date/Time : 2023:07:26 10:38:17+03:00
- File Permissions : -rw-rw-r--
- File Type : TXT
- File Type Extension : txt
- MIME Type : text/plain
- MIME Encoding : iso-8859-1
- Newlines : Macintosh CR
- Line Count : 939
- Word Count : 4166
- # # # # # # # #
- VT & Intezer
- # # # # # # # #
- https://www.virustotal.com/gui/file/5ae0b1bc5c8c0eaa93f5e8c5542b7ed6ff7501e315945516187ca02905d631d9/details
- https://www.virustotal.com/gui/file/8e32b8fdc7c08414a82662fa1a6e0c92a1332631c60e96760a6dec9f3fe07978/details
- https://www.virustotal.com/gui/file/1de623c954d1ff0415969724740aa5809b0745c0d07da5d1549a54816745b751/details
- https://www.virustotal.com/gui/file/fc423870796dff42517d1695ac87a45b54e52f18a76184ea31f64ec778f80348/details
- https://analyze.intezer.com/analyses/eed0617c-735e-4c3e-9913-183a2a555f64/dynamic-ttps
- VR
Add Comment
Please, Sign In to add comment