Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #?Autoit #RTF #11882
- https://pastebin.com/yBpP4PPw
- previous_contact: n/a
- FAQ: n/a
- attack_vector
- --------------
- email > URL > GET1 file.doc (RTF) > 11882 > GET2 exe > Public\69577.exe > exfil 31.42.185.63:8080 POST /upld
- email_headers
- --------------
- n/a
- files
- --------------
- SHA-256 2ec710d38a0919f9f472b220cfe8d554a30d24bfa4bdd90b96105cee842cf40d
- File name form_request.doc [ Rich Text Format data, unknown version ]
- File size 4.33 MB (4536093 bytes)
- SHA-256 2945393c74dd6d8de782e060362cdd468004ae2633bb4958c6063cd2fd5f5561
- File name 69577.exe [PE32 executable for MS Windows (GUI) Intel 80386 32-bit]
- File size 727.50 KB (744960 bytes)
- SHA-256 b24eac4c704502ee8952ad32384daec5894fd81d7bb668224730d4fb06293942
- File name 69577_unpck.exe [PE32 executable for MS Windows (GUI) Intel 80386 32-bit]
- File size 878.50 KB (899584 bytes)
- activity
- **************
- PL_SCR bit.ly/3g2b8LE >> http://gosloto.site/doc221/form_request.doc
- RTF_exploit get payload:
- bit.ly/2RgI60a >> http://name1d.site/index333.txt
- C2 31.42.185.63:8080
- config provided by @James_inthe_box
- https://gist.github.com/silence-is-best/abc7a8f2bbe75ef1ae7d0d52ab0ac3be
- netwrk
- --------------
- 67.199.248.11 bit.ly GET /2RgI60a HTTP/1.1 Mozilla/4.0 (compatible; )
- 45.12.4.113 name1d.site GET /index333.txt HTTP/1.1 Mozilla/4.0 (compatible; )
- 31.42.185.63 31.42.185.63:8080 POST /upld/AC38D1C7 HTTP/1.1 (application/upload) Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
- comp
- --------------
- 69577.exe 3280 TCP 31.42.185.63 8080 ESTABLISHED
- proc
- --------------
- "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
- {another context}
- "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
- C:\Users\Public\69577.exe
- C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.doc" /S /B /A
- C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.pdf" /S /B /A
- C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.ppt" /S /B /A
- C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.dot" /S /B /A
- C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.xl" /S /B /A
- C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.csv" /S /B /A
- C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.rtf" /S /B /A
- C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.dot" /S /B /A
- C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.mdb" /S /B /A
- C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.accdb" /S /B /A
- C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.pot" /S /B /A
- C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.pps" /S /B /A
- C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.ppa" /S /B /A
- C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.rar" /S /B /A
- C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.zip" /S /B /A
- C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.tar" /S /B /A
- C:\Windows\system32\cmd.exe /U /C DIR "\Users\operator\*.7z" /S /B /A
- persist
- --------------
- n/a
- drop
- --------------
- C:\tmp\Temporary Internet Files\Content.IE5\A9BOO410\2RgI60a[1].htm
- C:\tmp\Temporary Internet Files\Content.IE5\2M7UPI8M\index333[1].txt
- C:\Users\Public\69577.exe
- # # #
- VT details
- Dropped files
- **************
- https://www.virustotal.com/gui/file/2ec710d38a0919f9f472b220cfe8d554a30d24bfa4bdd90b96105cee842cf40d/details
- https://www.virustotal.com/gui/file/2945393c74dd6d8de782e060362cdd468004ae2633bb4958c6063cd2fd5f5561/details
- https://analyze.intezer.com/analyses/04736007-c080-4618-816f-8102107cec24
- https://www.virustotal.com/gui/file/b24eac4c704502ee8952ad32384daec5894fd81d7bb668224730d4fb06293942/details
- https://analyze.intezer.com/analyses/6385cdea-a244-42eb-bd2d-092d20a5b314
- URL
- **************
- https://www.virustotal.com/gui/domain/gosloto.site/details
- https://urlscan.io/result/a13bd0cc-8f18-4711-91e5-4895e1aae174/
- https://www.virustotal.com/gui/domain/name1d.site/details
- https://urlscan.io/result/2904d14d-4394-44e0-8a2c-03bb4f4db1a2/
- https://www.virustotal.com/gui/url/2a68bce4fe20b2232df45e69bec8386edb425f8e4d7db8ffe26603a3a0f18873/details
- https://www.virustotal.com/gui/url/995bdac754ca4bbee7f630f8cb9673dd0d3b48534f253b8e6532762f6439c734/details
- VR
Add Comment
Please, Sign In to add comment