SHARE
TWEET

#fareit_270219

VRad Feb 27th, 2019 (edited) 146 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #fareit #pony #RTF11882
  2.  
  3. https://pastebin.com/wyRGBXfj
  4.  
  5. previous contact:
  6. https://pastebin.com/u0D14L5r
  7.  
  8. FAQ:
  9. https://radetskiy.wordpress.com/?s=fareit
  10.  
  11. attack_vector
  12. --------------
  13. email attach .doc (RTF) > 11882 > GET URL > \appdata\roaming\*.exe
  14.  
  15. email_headers
  16. --------------
  17. n/a
  18.  
  19. files
  20. --------------
  21. SHA-256 742e8b89226e7ab2dbaa2bdf998a80ec84c5b989a82512dcd8c9ae83915edae0
  22. File name   PO-4300023687.doc       [Rich Text Format data, version 1]
  23. Last analysis   2019-02-27 10:25:11 UTC
  24.  
  25. SHA-256 8ae23c556d2dc1fb114eb4d9128766ee9765884e2748c32e5e643fc23be7fc7c
  26. File name   we.exe              [PE32 executable (GUI) Intel 80386, for MS Windows]
  27. File size   679.5 KB
  28.  
  29. activity
  30. **************
  31. PL_SRC
  32. enderezadoypinturaag{.} com/vfls/we.exe
  33.  
  34. C2
  35. iat-dz{.} com/papi/gate.php
  36. iat-dz{.} com/papi/shit.php
  37.  
  38. netwrk
  39. --------------
  40. 192.185.28.238  www.enderezadoypinturaag{.} com GET /vfls/we.exe    HTTP/1.1    no User Agent  
  41. 145.239.232.110 www.iat-dz{.} com       POST /papi/gate.php     HTTP/1.0    Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
  42. 145.239.232.110 www.iat-dz{.} com       GET /papi/shit.php  HTTP/1.0    Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
  43.  
  44. comp
  45. --------------
  46. EQNEDT32.EXE        968 TCP localhost   49237   192.185.28.238  80  ESTABLISHED
  47. fdgdfsdafgdfsd.exe  2976    TCP localhost   49238   145.239.232.110 80  ESTABLISHED
  48.  
  49. proc
  50. --------------
  51. "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
  52. C:\Users\operator\AppData\Roaming\fdgdfsdafgdfsd.exe
  53. cmd /c ""C:\tmp\1663343.bat"       "C:\Users\operator\AppData\Roaming\fdgdfsdafgdfsd.exe"   "
  54.  
  55. persist
  56. --------------
  57. n/a
  58.  
  59. drop
  60. --------------
  61. C:\Users\operator\AppData\Roaming\fdgdfsdafgdfsd.exe * (remove itself!!)
  62.  
  63. # # #
  64. https://www.virustotal.com/#/file/742e8b89226e7ab2dbaa2bdf998a80ec84c5b989a82512dcd8c9ae83915edae0/details
  65. https://www.virustotal.com/#/file/8ae23c556d2dc1fb114eb4d9128766ee9765884e2748c32e5e643fc23be7fc7c/details
  66. https://analyze.intezer.com/#/analyses/87499ebd-0f95-4e87-8d59-03a11d4ae8e9
  67.  
  68. VR
  69.  
  70. @
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top