Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Malware Famaily: #Servhelper
- MD5s:
- 57484338303a48dffadf466f74db4bab
- IPs:
- 169.239.129[.]117
- Domain:
- towerprod3[.]com
- URL:
- hxxp://towerprod3[.]com/docs/saz.php
- LOLBAS:
- p1.exe 3628
- rundll32.exe 3336 "rundll32.exe" C:\Users\user\AppData\Local\Temp\CLUBQCRHWH.dll, XHBBIGJC
- cmd.exe 1444 cmd.exe /C powershell -ep bypass -f C:\Users\user\AppData\Local\Temp\en.ps1
- powershell.exe 2236 powershell -ep bypass -f C:\Users\user\AppData\Local\Temp\en.ps1
- net.exe 3864 "C:\Windows\system32\net.exe" localgroup Administrators
- net1.exe 3832 C:\Windows\system32\net1 localgroup Administrators
- cmd.exe 1988 cmd.exe /C whoami
- whoami.exe 3120 whoami
- svchost.exe 592 C:\Windows\system32\svchost.exe -k DcomLaunch
- WmiPrvSE.exe 3728 C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
- PowerShell:
- Invoke-Expression -Command $([string]([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('aQBmACgAKABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBDAG8AbQBwAHUAdABlAHIAUwB5AHMAdABlAG0AKQAuAFAAYQByAHQATwBmAEQAbwBtAGEAaQBuACAALQBlAHEAIAAkAHQAcgB1AGUAKQAgAHsADQAKACAAIAAgACAAVwByAGkAdABlAC0ATwB1AHQAcAB1AHQAIAAiACQAZQBuAHYAOgBDAE8ATQBQAFUAVABFAFIATgBBAE0ARQAgAGkAcwAgAHAAYQByAHQAIABvAGYAIAB0AGgAZQAgAGQAbwBtAGEAaQBuADoAIAAkACgAKABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBDAG8AbQBwAHUAdABlAHIAUwB5AHMAdABlAG0AKQAuAEQAbwBtAGEAaQBuACkALgAiAA0ACgB9ACAAZQBsAHMAZQAgAHsADQAKACAAIAAgACAAVwByAGkAdABlAC0ATwB1AHQAcAB1AHQAIAAiACQAZQBuAHYAOgBDAE8ATQBQAFUAVABFAFIATgBBAE0ARQAgAGkAcwAgAG4AbwB0ACAAcABhAHIAdAAgAG8AZgAgAGEAIABkAG8AbQBhAGkAbgAuACIAOwANAAoAfQANAAoADQAKACQAZwByAG8AdQBwACAAPQAgAEcAdwBtAGkAIAB3AGkAbgAzADIAXwBnAHIAbwB1AHAAIAAtAEYAaQBsAHQAZQByACAAIgBEAG8AbQBhAGkAbgA9ACcAJABlAG4AdgA6AGMAbwBtAHAAdQB0AGUAcgBuAGEAbQBlACcAIABhAG4AZAAgAFMASQBEAD0AJwBTAC0AMQAtADUALQAzADIALQA1ADQANAAnACIAOwAgAA0ACgAkAGEAZABtACAAPQAgACQAZwByAG8AdQBwAC4ATgBhAG0AZQA7AA0ACgAkAHUAIAA9ACAAJABlAG4AdgA6AFUAcwBlAHIAbgBhAG0AZQA7ACAADQAKACQAdABlAHMAdAA9AG4AZQB0ACAAbABvAGMAYQBsAGcAcgBvAHUAcAAgACQAYQBkAG0AIAB8ACAAVwBoAGUAcgBlACAAewAkAF8AIAAtAG0AYQB0AGMAaAAgACQAdQB9ACAALQBvAHUAdAB2AGEAcgBpAGEAYgBsAGUAIAAkAHQAZQBzAHQADQAKAGkAZgAgACgAJAB0AGUAcwB0ACAALQBlAHEAIAAkAGUAbgB2ADoAdQBzAGUAcgBuAGEAbQBlACkAewBXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACIAaQBzACAAcABhAHIAdAAgAG8AZgAgAGEAZABtAGkAbgAgAGcAcgBvAHUAcAAiAH0AZQBsAHMAZQB7AFcAcgBpAHQAZQAtAE8AdQB0AHAAdQB0ACAAIgBuAG8AdAAgAGEAZABtAGkAbgAiAH0AOwANAAoADQAKACAAIAAgACAAJAB1AHMAZQByACAAPQAgAFsAUwBlAGMAdQByAGkAdAB5AC4AUAByAGkAbgBjAGkAcABhAGwALgBXAGkAbgBkAG8AdwBzAEkAZABlAG4AdABpAHQAeQBdADoAOgBHAGUAdABDAHUAcgByAGUAbgB0ACgAKQA7AA0ACgAJACQAcgBlAHMAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAGUAYwB1AHIAaQB0AHkALgBQAHIAaQBuAGMAaQBwAGEAbAAuAFcAaQBuAGQAbwB3AHMAUAByAGkAbgBjAGkAcABhAGwAIAAkAHUAcwBlAHIAKQAuAEkAcwBJAG4AUgBvAGwAZQAoAFsAUwBlAGMAdQByAGkAdAB5AC4AUAByAGkAbgBjAGkAcABhAGwALgBXAGkAbgBkAG8AdwBzAEIAdQBpAGwAdABpAG4AUgBvAGwAZQBdADoAOgBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByACkAIAAgAA0ACgB3AHIAaQB0AGUALQBvAHUAdABwAHUAdAAgACIAYQBkAG0AaQBuACgAaABpAGcAaAAgAGkAbgB0AGUAZwByAGkAdAB5ACkAOgAgACQAcgBlAHMAIgAgAA0ACgANAAoAZwBkAHIAIAAtAFAAUwBQAHIAbwB2AGkAZABlAHIAIAAnAEYAaQBsAGUAUwB5AHMAdABlAG0AJwANAAoAIwBpAGYAIAAoACgAJAB1ACAAPQAgACIAJABlAG4AdgA6AFUAcwBlAHIAbgBhAG0AZQAiADsAIABuAGUAdAAgAGwAbwBjAGEAbABnAHIAbwB1AHAAIAAkAGEAZABtACAAfAAgAFcAaABlAHIAZQAgAHsAJABfACAALQBtAGEAdABjAGgAIAAkAHUAfQApACAALQBlAHEAIAAkAGUAbgB2ADoAdQBzAGUAcgBuAGEAbQBlACkAewBlAGMAaABvACAAZwBvAG8AZAB9AGUAbABzAGUAewBlAGMAaABvACAAYgBhAGQAfQA7AA0ACgANAAoA'))))
- #malware #OSINT #IOC #MalBeacon #Lagos
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement