API tools faq
paste
Advertisement
VRad

#smokeloader_301018

VRad
Oct 30th, 2018
409
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.66 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #smokeloader #WSH #LZH
  2.  
  3. https://pastebin.com/1scwT0f8
  4. previous contact:
  5. 11/10/18 - https://pastebin.com/MP3kCSSh
  6. FAQ:
  7. https://radetskiy.wordpress.com/2018/10/19/ioc_smokeloader_111018/
  8.  
  9. Help with ID by @James_inthe_box
  10.  
  11. attack_vector
  12. --------------
  13. email attach (lzh) > js > WSH > GET > \Templates\*.exe
  14.  
  15. email_headers
  16. --------------
  17. #1
  18. Return-Path: <coledj@cv.ukrtel.net>
  19. Received: from mx.fm.ukrtelecom.ua (mx.fm.ukrtelecom.ua [82.207.79.108])
  20. for <user7@org1.victim.com>; Tue, 30 Oct 2018 10:08:33 +0200
  21. Received: from mail4.ukrpost.ua (mail4.ukrpost.ua [82.207.79.4])
  22. by mx.fm.ukrtelecom.ua with ESMTP id w9U6nx6R011667-w9U6nx6T011667; Tue, 30 Oct 2018 08:49:59 +0200
  23. Received: from 246-37-201-46.pool.ukrtel.net ([46.201.37.246] helo=ADMIN)
  24. by mail4.ukrpost.ua with esmtpa (Exim 4.89)
  25. (envelope-from <coledj@cv.ukrtel.net>)
  26. id 1gHNqg-0006Kk-O8
  27. for user7@org1.victim.com; Tue, 30 Oct 2018 08:49:59 +0200
  28. From: "=?utf-8?B?0JLRj9GH0LXRgdC70LDQsiDQktC70LDQtNC40LzQuNGA0L7QstC40Ycg0JvQtdCy0LjRhtC60LjQuQ==?="
  29. <coledj@cv.ukrtel.net>
  30. Subject: =?utf-8?B?0LfQs9GW0LTQvdC+INC3INCw0LrRgtC+0Lwg0LfQstGW0YDQutC4?=
  31. To: "user7" <user7@org1.victim.com>
  32. Date: Tue, 30 Oct 2018 08:50:12 +0200
  33.  
  34. #2
  35. Return-Path: <energo.vol@newline.net.ua>
  36. Received: from mail.domtele.com (mail.domtele.com [85.159.1.130])
  37. for <user7@victim.com>; Tue, 30 Oct 2018 10:41:46 +0200
  38. From: "=?utf-8?B?0JDQutGB0LDQvdC40Y8=?=" <energo.vol@newline.net.ua>
  39. To: "user7" <user7@victim.com>
  40. Content-Type: multipart/mixed; boundary="j243Ly9VAMNtGSSlaR=_g6KKw4mvlGhO1l"
  41. MIME-Version: 1.0
  42. Reply-To: "=?utf-8?B?0JDQutGB0LDQvdC40Y8=?=" <maysin@ukr.net>
  43. Date: Fri, 2 Nov 2018 11:41:55 +0200
  44. X-Confirm-Reading-To: maysin@ukr.net
  45. Subject: =?utf-8?B?0YDQsNGFINC6INC+0L/Qu9Cw0YLQtQ==?=
  46.  
  47. #3
  48. Return-Path: <college@skad.hs.ukrtel.net>
  49. Received: from mx.fm.ukrtelecom.ua (mx.fm.ukrtelecom.ua [82.207.79.108])
  50. for <user7@victim.com>; Tue, 30 Oct 2018 10:44:24 +0200
  51. Received: from mail2.ukrpost.ua (mail2.ukrpost.ua [82.207.79.2])
  52. by mx.fm.ukrtelecom.ua with ESMTP id w9U76psA000300-w9U76psC000300; Tue, 30 Oct 2018 09:06:51 +0200
  53. Received: from 128-129-93-178.pool.ukrtel.net ([178.93.129.128])
  54. by mail2.ukrpost.ua with esmtpa (Exim 4.89)
  55. (envelope-from <college@skad.hs.ukrtel.net>)
  56. id 1gHO70-0001dw-CN
  57. for user7@victim.com; Tue, 30 Oct 2018 09:06:51 +0200
  58. From: "=?utf-8?B?0JIn0Y/Rh9C10YHQu9Cw0LIg0JLQvtC70L7QtNC40LzQuNGA0L7QstC40Ycg0JvQtdCy0LjRhtGM0LrQuNC5?="
  59. <college@skad.hs.ukrtel.net>
  60. Subject: =?utf-8?B?0YHQvtCz0LvQsNGB0L3QviDQsNC60YLRgyDRgdCy0LXRgNC60Lg=?=
  61. To: "user7" <user7@victim.com>
  62. Reply-To: "=?utf-8?B?0JIn0Y/Rh9C10YHQu9Cw0LIg0JLQvtC70L7QtNC40LzQuNGA0L7QstC40Ycg0JvQtdCy0LjRhtGM0LrQuNC5?="
  63. <maysin@ukr.net>
  64. Date: Tue, 30 Oct 2018 09:06:07 +0200
  65. X-Confirm-Reading-To: maysin@ukr.net
  66. Return-Receipt-To: maysin@ukr.net
  67.  
  68. files
  69. --------------
  70. SHA-256 41b14fa3f0cf713093eb0cae2ee20bb5e8996d9ba20a93d70449459efcaef7f6
  71. File name Рахунок та договор кормпания Аскания Киев.rar.lzh
  72. File size 93.09 KB
  73.  
  74. SHA-256 cd0f613d699bee347b82cf8550b18890613835ddd11618070ae99fa8cc42bbc7
  75. File name 1.doc
  76. File size 70.5 KB
  77.  
  78. SHA-256 ea7b2fa88352b310360af1133a35492865fa12207845d8c78ad143c924278d86
  79. File name 0-148.xls.js
  80. File size 22.49 KB
  81.  
  82. SHA-256 7e5cfd53cff61b058f7cf9f7ddef04fb28b7bfb8e4de46f9fcc28e5221b2ca04
  83. File name smcim.exe
  84. File size 547.5 KB
  85.  
  86. activity
  87. **************
  88. payload h11p:\ cavanasipontum{.} ru/bulba/smcim.exe
  89.  
  90. netwrk
  91. --------------
  92. 62.213.100.196 cavanasipontum{.} ru GET /bulba/smcim.exe HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64
  93. DNS Standard query response 0x650d No such name PTR 196.100.213.62.in-addr.arpa SOA ns.caravan.ru
  94. Custom DNS: 192.71.245.208
  95. C2 c2 : aviatorssm[.]bit
  96.  
  97. comp
  98. --------------
  99. wscript.exe 3184 62.213.100.196 80 ESTABLISHED
  100.  
  101. proc
  102. --------------
  103. "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\0-148.xls.js"
  104. "C:\Users\operator\AppData\Roaming\Microsoft\Windows\Templates\337329.exe"
  105.  
  106. persist
  107. --------------
  108. n/a
  109.  
  110. drop
  111. --------------
  112. C:\Users\operator\AppData\Roaming\Microsoft\Windows\Templates\337329.exe
  113.  
  114. # # #
  115. https://www.virustotal.com/#/file/41b14fa3f0cf713093eb0cae2ee20bb5e8996d9ba20a93d70449459efcaef7f6/details
  116. https://www.virustotal.com/#/file/cd0f613d699bee347b82cf8550b18890613835ddd11618070ae99fa8cc42bbc7/details
  117. https://www.virustotal.com/#/file/ea7b2fa88352b310360af1133a35492865fa12207845d8c78ad143c924278d86/details
  118. https://www.virustotal.com/#/file/7e5cfd53cff61b058f7cf9f7ddef04fb28b7bfb8e4de46f9fcc28e5221b2ca04/details
  119. https://analyze.intezer.com/#/analyses/ef27e3a0-caed-454d-b258-c5e30361ead9
  120. https://urlhaus.abuse.ch/url/72242/
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!