Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #smokeloader #WSH #LZH
- https://pastebin.com/1scwT0f8
- previous contact:
- 11/10/18 - https://pastebin.com/MP3kCSSh
- FAQ:
- https://radetskiy.wordpress.com/2018/10/19/ioc_smokeloader_111018/
- Help with ID by @James_inthe_box
- attack_vector
- --------------
- email attach (lzh) > js > WSH > GET > \Templates\*.exe
- email_headers
- --------------
- #1
- Return-Path: <coledj@cv.ukrtel.net>
- Received: from mx.fm.ukrtelecom.ua (mx.fm.ukrtelecom.ua [82.207.79.108])
- for <user7@org1.victim.com>; Tue, 30 Oct 2018 10:08:33 +0200
- Received: from mail4.ukrpost.ua (mail4.ukrpost.ua [82.207.79.4])
- by mx.fm.ukrtelecom.ua with ESMTP id w9U6nx6R011667-w9U6nx6T011667; Tue, 30 Oct 2018 08:49:59 +0200
- Received: from 246-37-201-46.pool.ukrtel.net ([46.201.37.246] helo=ADMIN)
- by mail4.ukrpost.ua with esmtpa (Exim 4.89)
- (envelope-from <coledj@cv.ukrtel.net>)
- id 1gHNqg-0006Kk-O8
- for user7@org1.victim.com; Tue, 30 Oct 2018 08:49:59 +0200
- From: "=?utf-8?B?0JLRj9GH0LXRgdC70LDQsiDQktC70LDQtNC40LzQuNGA0L7QstC40Ycg0JvQtdCy0LjRhtC60LjQuQ==?="
- <coledj@cv.ukrtel.net>
- Subject: =?utf-8?B?0LfQs9GW0LTQvdC+INC3INCw0LrRgtC+0Lwg0LfQstGW0YDQutC4?=
- To: "user7" <user7@org1.victim.com>
- Date: Tue, 30 Oct 2018 08:50:12 +0200
- #2
- Return-Path: <energo.vol@newline.net.ua>
- Received: from mail.domtele.com (mail.domtele.com [85.159.1.130])
- for <user7@victim.com>; Tue, 30 Oct 2018 10:41:46 +0200
- From: "=?utf-8?B?0JDQutGB0LDQvdC40Y8=?=" <energo.vol@newline.net.ua>
- To: "user7" <user7@victim.com>
- Content-Type: multipart/mixed; boundary="j243Ly9VAMNtGSSlaR=_g6KKw4mvlGhO1l"
- MIME-Version: 1.0
- Reply-To: "=?utf-8?B?0JDQutGB0LDQvdC40Y8=?=" <maysin@ukr.net>
- Date: Fri, 2 Nov 2018 11:41:55 +0200
- X-Confirm-Reading-To: maysin@ukr.net
- Subject: =?utf-8?B?0YDQsNGFINC6INC+0L/Qu9Cw0YLQtQ==?=
- #3
- Return-Path: <college@skad.hs.ukrtel.net>
- Received: from mx.fm.ukrtelecom.ua (mx.fm.ukrtelecom.ua [82.207.79.108])
- for <user7@victim.com>; Tue, 30 Oct 2018 10:44:24 +0200
- Received: from mail2.ukrpost.ua (mail2.ukrpost.ua [82.207.79.2])
- by mx.fm.ukrtelecom.ua with ESMTP id w9U76psA000300-w9U76psC000300; Tue, 30 Oct 2018 09:06:51 +0200
- Received: from 128-129-93-178.pool.ukrtel.net ([178.93.129.128])
- by mail2.ukrpost.ua with esmtpa (Exim 4.89)
- (envelope-from <college@skad.hs.ukrtel.net>)
- id 1gHO70-0001dw-CN
- for user7@victim.com; Tue, 30 Oct 2018 09:06:51 +0200
- From: "=?utf-8?B?0JIn0Y/Rh9C10YHQu9Cw0LIg0JLQvtC70L7QtNC40LzQuNGA0L7QstC40Ycg0JvQtdCy0LjRhtGM0LrQuNC5?="
- <college@skad.hs.ukrtel.net>
- Subject: =?utf-8?B?0YHQvtCz0LvQsNGB0L3QviDQsNC60YLRgyDRgdCy0LXRgNC60Lg=?=
- To: "user7" <user7@victim.com>
- Reply-To: "=?utf-8?B?0JIn0Y/Rh9C10YHQu9Cw0LIg0JLQvtC70L7QtNC40LzQuNGA0L7QstC40Ycg0JvQtdCy0LjRhtGM0LrQuNC5?="
- <maysin@ukr.net>
- Date: Tue, 30 Oct 2018 09:06:07 +0200
- X-Confirm-Reading-To: maysin@ukr.net
- Return-Receipt-To: maysin@ukr.net
- files
- --------------
- SHA-256 41b14fa3f0cf713093eb0cae2ee20bb5e8996d9ba20a93d70449459efcaef7f6
- File name Рахунок та договор кормпания Аскания Киев.rar.lzh
- File size 93.09 KB
- SHA-256 cd0f613d699bee347b82cf8550b18890613835ddd11618070ae99fa8cc42bbc7
- File name 1.doc
- File size 70.5 KB
- SHA-256 ea7b2fa88352b310360af1133a35492865fa12207845d8c78ad143c924278d86
- File name 0-148.xls.js
- File size 22.49 KB
- SHA-256 7e5cfd53cff61b058f7cf9f7ddef04fb28b7bfb8e4de46f9fcc28e5221b2ca04
- File name smcim.exe
- File size 547.5 KB
- activity
- **************
- payload h11p:\ cavanasipontum{.} ru/bulba/smcim.exe
- netwrk
- --------------
- 62.213.100.196 cavanasipontum{.} ru GET /bulba/smcim.exe HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64
- DNS Standard query response 0x650d No such name PTR 196.100.213.62.in-addr.arpa SOA ns.caravan.ru
- Custom DNS: 192.71.245.208
- C2 c2 : aviatorssm[.]bit
- comp
- --------------
- wscript.exe 3184 62.213.100.196 80 ESTABLISHED
- proc
- --------------
- "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\0-148.xls.js"
- "C:\Users\operator\AppData\Roaming\Microsoft\Windows\Templates\337329.exe"
- persist
- --------------
- n/a
- drop
- --------------
- C:\Users\operator\AppData\Roaming\Microsoft\Windows\Templates\337329.exe
- # # #
- https://www.virustotal.com/#/file/41b14fa3f0cf713093eb0cae2ee20bb5e8996d9ba20a93d70449459efcaef7f6/details
- https://www.virustotal.com/#/file/cd0f613d699bee347b82cf8550b18890613835ddd11618070ae99fa8cc42bbc7/details
- https://www.virustotal.com/#/file/ea7b2fa88352b310360af1133a35492865fa12207845d8c78ad143c924278d86/details
- https://www.virustotal.com/#/file/7e5cfd53cff61b058f7cf9f7ddef04fb28b7bfb8e4de46f9fcc28e5221b2ca04/details
- https://analyze.intezer.com/#/analyses/ef27e3a0-caed-454d-b258-c5e30361ead9
- https://urlhaus.abuse.ch/url/72242/
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement