API tools faq
paste
VRad

#autoit_120421

VRad
Apr 12th, 2021 (edited)
546
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.40 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #?Autoit #RTF #11882
  2.  
  3. https://pastebin.com/yBpP4PPw
  4.  
  5. previous_contact: n/a
  6.  
  7. FAQ: n/a
  8.  
  9. attack_vector
  10. --------------
  11. email > URL > GET1 file.doc (RTF) > 11882 > GET2 exe > Public\69577.exe > exfil 31.42.185.63:8080 POST /upld
  12.  
  13. email_headers
  14. --------------
  15. n/a
  16.  
  17.  
  18. files
  19. --------------
  20. SHA-256 2ec710d38a0919f9f472b220cfe8d554a30d24bfa4bdd90b96105cee842cf40d
  21. File name form_request.doc [ Rich Text Format data, unknown version ]
  22. File size 4.33 MB (4536093 bytes)
  23.  
  24. SHA-256 2945393c74dd6d8de782e060362cdd468004ae2633bb4958c6063cd2fd5f5561
  25. File name 69577.exe [PE32 executable for MS Windows (GUI) Intel 80386 32-bit]
  26. File size 727.50 KB (744960 bytes)
  27.  
  28. SHA-256 b24eac4c704502ee8952ad32384daec5894fd81d7bb668224730d4fb06293942
  29. File name 69577_unpck.exe [PE32 executable for MS Windows (GUI) Intel 80386 32-bit]
  30. File size 878.50 KB (899584 bytes)
  31.  
  32.  
  33. activity
  34. **************
  35. PL_SCR bit.ly/3g2b8LE >> http://gosloto.site/doc221/form_request.doc
  36.  
  37. RTF_exploit get payload:
  38.  
  39. bit.ly/2RgI60a >> http://name1d.site/index333.txt
  40.  
  41. C2 31.42.185.63:8080
  42.  
  43. config provided by @James_inthe_box
  44. https://gist.github.com/silence-is-best/abc7a8f2bbe75ef1ae7d0d52ab0ac3be
  45.  
  46. netwrk
  47. --------------
  48. 67.199.248.11 bit.ly GET /2RgI60a HTTP/1.1 Mozilla/4.0 (compatible; )
  49. 45.12.4.113 name1d.site GET /index333.txt HTTP/1.1 Mozilla/4.0 (compatible; )
  50. 31.42.185.63 31.42.185.63:8080 POST /upld/AC38D1C7 HTTP/1.1 (application/upload) Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
  51.  
  52. comp
  53. --------------
  54. 69577.exe 3280 TCP 31.42.185.63 8080 ESTABLISHED
  55.  
  56.  
  57. proc
  58. --------------
  59. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
  60.  
  61. {another context}
  62.  
  63. "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
  64. C:\Users\Public\69577.exe
  65. C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.doc" /S /B /A
  66. C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.pdf" /S /B /A
  67. C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.ppt" /S /B /A
  68. C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.dot" /S /B /A
  69. C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.xl" /S /B /A
  70. C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.csv" /S /B /A
  71. C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.rtf" /S /B /A
  72. C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.dot" /S /B /A
  73. C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.mdb" /S /B /A
  74. C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.accdb" /S /B /A
  75. C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.pot" /S /B /A
  76. C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.pps" /S /B /A
  77. C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.ppa" /S /B /A
  78. C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.rar" /S /B /A
  79. C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.zip" /S /B /A
  80. C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.tar" /S /B /A
  81. C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.7z" /S /B /A
  82.  
  83. persist
  84. --------------
  85. n/a
  86.  
  87. drop
  88. --------------
  89. C:\tmp\Temporary Internet Files\Content.IE5\A9BOO410\2RgI60a[1].htm
  90. C:\tmp\Temporary Internet Files\Content.IE5\2M7UPI8M\index333[1].txt
  91. C:\Users\Public\69577.exe
  92.  
  93. # # #
  94. VT details
  95.  
  96. Dropped files
  97. **************
  98. https://www.virustotal.com/gui/file/2ec710d38a0919f9f472b220cfe8d554a30d24bfa4bdd90b96105cee842cf40d/details
  99.  
  100. https://www.virustotal.com/gui/file/2945393c74dd6d8de782e060362cdd468004ae2633bb4958c6063cd2fd5f5561/details
  101. https://analyze.intezer.com/analyses/04736007-c080-4618-816f-8102107cec24
  102. https://www.virustotal.com/gui/file/b24eac4c704502ee8952ad32384daec5894fd81d7bb668224730d4fb06293942/details
  103. https://analyze.intezer.com/analyses/6385cdea-a244-42eb-bd2d-092d20a5b314
  104.  
  105.  
  106. URL
  107. **************
  108. https://www.virustotal.com/gui/domain/gosloto.site/details
  109. https://urlscan.io/result/a13bd0cc-8f18-4711-91e5-4895e1aae174/
  110. https://www.virustotal.com/gui/domain/name1d.site/details
  111. https://urlscan.io/result/2904d14d-4394-44e0-8a2c-03bb4f4db1a2/
  112.  
  113. https://www.virustotal.com/gui/url/2a68bce4fe20b2232df45e69bec8386edb425f8e4d7db8ffe26603a3a0f18873/details
  114. https://www.virustotal.com/gui/url/995bdac754ca4bbee7f630f8cb9673dd0d3b48534f253b8e6532762f6439c734/details
  115.  
  116. VR
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!