API tools faq
paste
Advertisement
VRad

#fareit_270219

VRad
Feb 27th, 2019
569
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.00 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #fareit #pony #RTF11882
  2.  
  3. https://pastebin.com/wyRGBXfj
  4.  
  5. previous contact:
  6. https://pastebin.com/u0D14L5r
  7.  
  8. FAQ:
  9. https://radetskiy.wordpress.com/?s=fareit
  10.  
  11. attack_vector
  12. --------------
  13. email attach .doc (RTF) > 11882 > GET URL > \appdata\roaming\*.exe
  14.  
  15. email_headers
  16. --------------
  17. n/a
  18.  
  19. files
  20. --------------
  21. SHA-256 742e8b89226e7ab2dbaa2bdf998a80ec84c5b989a82512dcd8c9ae83915edae0
  22. File name PO-4300023687.doc [Rich Text Format data, version 1]
  23. Last analysis 2019-02-27 10:25:11 UTC
  24.  
  25. SHA-256 8ae23c556d2dc1fb114eb4d9128766ee9765884e2748c32e5e643fc23be7fc7c
  26. File name we.exe [PE32 executable (GUI) Intel 80386, for MS Windows]
  27. File size 679.5 KB
  28.  
  29. activity
  30. **************
  31. PL_SRC
  32. enderezadoypinturaag{.} com/vfls/we.exe
  33.  
  34. C2
  35. iat-dz{.} com/papi/gate.php
  36. iat-dz{.} com/papi/shit.php
  37.  
  38. netwrk
  39. --------------
  40. 192.185.28.238 www.enderezadoypinturaag{.} com GET /vfls/we.exe HTTP/1.1 no User Agent
  41. 145.239.232.110 www.iat-dz{.} com POST /papi/gate.php HTTP/1.0 Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
  42. 145.239.232.110 www.iat-dz{.} com GET /papi/shit.php HTTP/1.0 Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
  43.  
  44. comp
  45. --------------
  46. EQNEDT32.EXE 968 TCP localhost 49237 192.185.28.238 80 ESTABLISHED
  47. fdgdfsdafgdfsd.exe 2976 TCP localhost 49238 145.239.232.110 80 ESTABLISHED
  48.  
  49. proc
  50. --------------
  51. "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
  52. C:\Users\operator\AppData\Roaming\fdgdfsdafgdfsd.exe
  53. cmd /c ""C:\tmp\1663343.bat" "C:\Users\operator\AppData\Roaming\fdgdfsdafgdfsd.exe" "
  54.  
  55. persist
  56. --------------
  57. n/a
  58.  
  59. drop
  60. --------------
  61. C:\Users\operator\AppData\Roaming\fdgdfsdafgdfsd.exe * (remove itself!!)
  62.  
  63. # # #
  64. https://www.virustotal.com/#/file/742e8b89226e7ab2dbaa2bdf998a80ec84c5b989a82512dcd8c9ae83915edae0/details
  65. https://www.virustotal.com/#/file/8ae23c556d2dc1fb114eb4d9128766ee9765884e2748c32e5e643fc23be7fc7c/details
  66. https://analyze.intezer.com/#/analyses/87499ebd-0f95-4e87-8d59-03a11d4ae8e9
  67.  
  68. VR
  69.  
  70. @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!