SHARE
TWEET

#smokeloader_301018

VRad Oct 30th, 2018 (edited) 226 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #smokeloader #WSH #LZH
  2.  
  3. https://pastebin.com/1scwT0f8
  4. previous contact:
  5. 11/10/18 - https://pastebin.com/MP3kCSSh
  6. FAQ:
  7. https://radetskiy.wordpress.com/2018/10/19/ioc_smokeloader_111018/
  8.  
  9. Help with ID by @James_inthe_box
  10.  
  11. attack_vector
  12. --------------
  13. email attach (lzh) > js > WSH > GET > \Templates\*.exe
  14.  
  15. email_headers
  16. --------------
  17. #1
  18. Return-Path: <coledj@cv.ukrtel.net>
  19. Received: from mx.fm.ukrtelecom.ua (mx.fm.ukrtelecom.ua [82.207.79.108])
  20.       for <user7@org1.victim.com>; Tue, 30 Oct 2018 10:08:33 +0200
  21. Received: from mail4.ukrpost.ua (mail4.ukrpost.ua [82.207.79.4])
  22.     by mx.fm.ukrtelecom.ua with ESMTP id w9U6nx6R011667-w9U6nx6T011667; Tue, 30 Oct 2018 08:49:59 +0200
  23. Received: from 246-37-201-46.pool.ukrtel.net ([46.201.37.246] helo=ADMIN)
  24.     by mail4.ukrpost.ua with esmtpa (Exim 4.89)
  25.     (envelope-from <coledj@cv.ukrtel.net>)
  26.     id 1gHNqg-0006Kk-O8
  27.     for user7@org1.victim.com; Tue, 30 Oct 2018 08:49:59 +0200
  28. From: "=?utf-8?B?0JLRj9GH0LXRgdC70LDQsiDQktC70LDQtNC40LzQuNGA0L7QstC40Ycg0JvQtdCy0LjRhtC60LjQuQ==?="
  29.  <coledj@cv.ukrtel.net>
  30. Subject: =?utf-8?B?0LfQs9GW0LTQvdC+INC3INCw0LrRgtC+0Lwg0LfQstGW0YDQutC4?=
  31. To: "user7" <user7@org1.victim.com>
  32. Date: Tue, 30 Oct 2018 08:50:12 +0200
  33.  
  34. #2
  35. Return-Path: <energo.vol@newline.net.ua>
  36. Received: from mail.domtele.com (mail.domtele.com [85.159.1.130])
  37.       for <user7@victim.com>; Tue, 30 Oct 2018 10:41:46 +0200
  38. From: "=?utf-8?B?0JDQutGB0LDQvdC40Y8=?=" <energo.vol@newline.net.ua>
  39. To: "user7" <user7@victim.com>
  40. Content-Type: multipart/mixed; boundary="j243Ly9VAMNtGSSlaR=_g6KKw4mvlGhO1l"
  41. MIME-Version: 1.0
  42. Reply-To: "=?utf-8?B?0JDQutGB0LDQvdC40Y8=?=" <maysin@ukr.net>
  43. Date: Fri, 2 Nov 2018 11:41:55 +0200
  44. X-Confirm-Reading-To: maysin@ukr.net
  45. Subject: =?utf-8?B?0YDQsNGFINC6INC+0L/Qu9Cw0YLQtQ==?=
  46.  
  47. #3
  48. Return-Path: <college@skad.hs.ukrtel.net>
  49. Received: from mx.fm.ukrtelecom.ua (mx.fm.ukrtelecom.ua [82.207.79.108])
  50.       for <user7@victim.com>; Tue, 30 Oct 2018 10:44:24 +0200
  51. Received: from mail2.ukrpost.ua (mail2.ukrpost.ua [82.207.79.2])
  52.     by mx.fm.ukrtelecom.ua with ESMTP id w9U76psA000300-w9U76psC000300; Tue, 30 Oct 2018 09:06:51 +0200
  53. Received: from 128-129-93-178.pool.ukrtel.net ([178.93.129.128])
  54.     by mail2.ukrpost.ua with esmtpa (Exim 4.89)
  55.     (envelope-from <college@skad.hs.ukrtel.net>)
  56.     id 1gHO70-0001dw-CN
  57.     for user7@victim.com; Tue, 30 Oct 2018 09:06:51 +0200
  58. From: "=?utf-8?B?0JIn0Y/Rh9C10YHQu9Cw0LIg0JLQvtC70L7QtNC40LzQuNGA0L7QstC40Ycg0JvQtdCy0LjRhtGM0LrQuNC5?="
  59.  <college@skad.hs.ukrtel.net>
  60. Subject: =?utf-8?B?0YHQvtCz0LvQsNGB0L3QviDQsNC60YLRgyDRgdCy0LXRgNC60Lg=?=
  61. To: "user7" <user7@victim.com>
  62. Reply-To: "=?utf-8?B?0JIn0Y/Rh9C10YHQu9Cw0LIg0JLQvtC70L7QtNC40LzQuNGA0L7QstC40Ycg0JvQtdCy0LjRhtGM0LrQuNC5?="
  63.  <maysin@ukr.net>
  64. Date: Tue, 30 Oct 2018 09:06:07 +0200
  65. X-Confirm-Reading-To: maysin@ukr.net
  66. Return-Receipt-To: maysin@ukr.net
  67.  
  68. files
  69. --------------
  70. SHA-256 41b14fa3f0cf713093eb0cae2ee20bb5e8996d9ba20a93d70449459efcaef7f6
  71. File name   Рахунок та договор кормпания Аскания Киев.rar.lzh
  72. File size   93.09 KB
  73.  
  74. SHA-256 cd0f613d699bee347b82cf8550b18890613835ddd11618070ae99fa8cc42bbc7
  75. File name   1.doc
  76. File size   70.5 KB
  77.  
  78. SHA-256 ea7b2fa88352b310360af1133a35492865fa12207845d8c78ad143c924278d86
  79. File name   0-148.xls.js
  80. File size   22.49 KB
  81.  
  82. SHA-256 7e5cfd53cff61b058f7cf9f7ddef04fb28b7bfb8e4de46f9fcc28e5221b2ca04
  83. File name   smcim.exe
  84. File size   547.5 KB
  85.  
  86. activity
  87. **************
  88. payload     h11p:\ cavanasipontum{.} ru/bulba/smcim.exe
  89.  
  90. netwrk
  91. --------------
  92. 62.213.100.196  cavanasipontum{.} ru    GET /bulba/smcim.exe HTTP/1.1   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64
  93. DNS     Standard query response 0x650d No such name PTR 196.100.213.62.in-addr.arpa SOA ns.caravan.ru
  94. Custom DNS: 192.71.245.208
  95. C2 c2 : aviatorssm[.]bit
  96.  
  97. comp
  98. --------------
  99. wscript.exe 3184    62.213.100.196  80  ESTABLISHED
  100.  
  101. proc
  102. --------------
  103. "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\0-148.xls.js"
  104. "C:\Users\operator\AppData\Roaming\Microsoft\Windows\Templates\337329.exe"
  105.  
  106. persist
  107. --------------
  108. n/a
  109.  
  110. drop
  111. --------------
  112. C:\Users\operator\AppData\Roaming\Microsoft\Windows\Templates\337329.exe
  113.  
  114. # # #
  115. https://www.virustotal.com/#/file/41b14fa3f0cf713093eb0cae2ee20bb5e8996d9ba20a93d70449459efcaef7f6/details
  116. https://www.virustotal.com/#/file/cd0f613d699bee347b82cf8550b18890613835ddd11618070ae99fa8cc42bbc7/details
  117. https://www.virustotal.com/#/file/ea7b2fa88352b310360af1133a35492865fa12207845d8c78ad143c924278d86/details
  118. https://www.virustotal.com/#/file/7e5cfd53cff61b058f7cf9f7ddef04fb28b7bfb8e4de46f9fcc28e5221b2ca04/details
  119. https://analyze.intezer.com/#/analyses/ef27e3a0-caed-454d-b258-c5e30361ead9
  120. https://urlhaus.abuse.ch/url/72242/
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top