Advertisement
VRad

#troldesh_200219

Feb 20th, 2019
8,944
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.28 KB | None | 0 0
  1. #IOC #OptiData #VR #shade #troldesh #WSH #ZIP
  2.  
  3. https://pastebin.com/4XDjjWZh
  4.  
  5. previous contact:
  6. 28/12/18 https://pastebin.com/E3isAsmV
  7. 26/12/18 https://pastebin.com/kx8Y0XzR
  8. 25/12/18 https://pastebin.com/xNRiz3QW
  9. 24/12/18 https://pastebin.com/mMMZe73m
  10.  
  11. FAQ:
  12. https://radetskiy.wordpress.com/2019/01/31/shade_ransom/
  13. https://radetskiy.wordpress.com/2018/09/12/ioc_troldesh_ransom_120918/
  14.  
  15. attack_vector
  16. --------------
  17. email URL > GET .ZIP > JS > WSH > GET .jpg > %temp%\*.tmp
  18.  
  19. email_headers
  20. --------------
  21. Received: from [::1] (port=56724 helo=mjail2.freenet.de)
  22. by mjail2.freenet.de with esmtpa (ID [email protected]) (Exim 4.90_1 #2)
  23. Received: from [195.4.92.165] (helo=mjail2.freenet.de)
  24. by mout0.freenet.de with esmtpa (ID [email protected]) (port 25) (Exim 4.90_1 #2)
  25. Received: from [81.18.133.6] (port=50083 helo=COMPUTER)
  26. by sub5.freenet.de with esmtpsa (ID [email protected]) (port 465) (Exim 4.90_1 #2)
  27. Received: from sub5.freenet.de ([195.4.92.124]:36652)
  28. by mjail2.freenet.de with esmtpa (ID [email protected]) (Exim 4.90_1 #2)
  29. Reply-To: Мельников <[email protected]>
  30. From: Мельников <[email protected]>
  31. Subject: относительно заказа
  32. Date: Wed, 20 Feb 2019 10:49:56 +0200
  33.  
  34. files
  35. --------------
  36. SHA-256 b8700824303648e75c2c2e15619bb248998a702088588ee9c485f61b1d97871f
  37. File name pik.zip [Zip archive data, at least v2.0 to extract]
  38. File size 3.59 KB
  39.  
  40. SHA-256 9041c928a89e19cbf0272a7ea5a77f6577aabec68ef7ff3c525b37eba38878a0
  41. File name ПАО «Группа Компаний ПИК» подробности заказа.js [ASCII text]
  42. File size 7.13 KB
  43.  
  44. SHA-256 6cd9d0c1d6247c6acb1dafe5800194d284257a27dfe1107e077c488d883abac6
  45. File name msg.jpg [PE32 executable (GUI) Intel 80386, for MS Windows]
  46. File size 1.36 MB
  47.  
  48. activity
  49. **************
  50. PL_SRC:
  51.  
  52. http://koharu2007.com/images/pik.zip
  53. http://haglfurniture.vn/templates/dogo/html/com_contact/contact/msg.jpg
  54.  
  55. netwrk
  56. --------------
  57. http.request.method == GET
  58.  
  59. 103.3.245.248 haglfurniture.vn GET /templates/dogo/html/com_contact/contact/msg.jpg Mozilla/4.0
  60. 104.16.154.36 whatismyipaddress.com GET / Mozilla/5.0
  61. 104.18.34.131 whatsmyip.net GET / Mozilla/5.0
  62.  
  63. ssl
  64. 81.17.30.33 www.vztjioj3xsucc.com Client Hello
  65. 82.192.94.125 www.qgyr.com Client Hello
  66. 131.188.40.189 www.52e5xr5y7n72exom.com Client Hello
  67.  
  68. comp
  69. --------------
  70. wscript.exe 1696 TCP loclahost 49214 103.3.245.248 80 ESTABLISHED
  71.  
  72. radFC88F.tmp 2316 TCP loclahost 49215 loclahost 49216 ESTABLISHED
  73. radFC88F.tmp 2316 TCP loclahost 49217 131.188.40.189 443 ESTABLISHED
  74. radFC88F.tmp 2316 TCP loclahost 49218 128.31.0.39 9101 ESTABLISHED
  75. radFC88F.tmp 2316 TCP loclahost 49219 82.192.94.125 443 ESTABLISHED
  76. radFC88F.tmp 2316 TCP loclahost 49220 81.17.30.33 443 ESTABLISHED
  77. radFC88F.tmp 2316 TCP loclahost 49221 173.249.25.217 9001 ESTABLISHED
  78.  
  79. proc
  80. --------------
  81. C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\ПАО «Группа Компаний ПИК» подробности заказа.js
  82. C:\Windows\System32\cmd.exe" /c C:\tmp\radFC88F.tmp
  83. C:\tmp\radFC88F.tmp
  84. C:\Windows\system32\vssadmin.exe List Shadows
  85. C:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
  86. C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
  87.  
  88. C:\Windows\system32\taskhost.exe $(Arg0)
  89. C:\Windows\system32\vssvc.exe
  90.  
  91. C:\Windows\system32\svchost.exe -k DcomLaunch
  92. C:\Windows\System32\mobsync.exe -Embedding
  93.  
  94. persist
  95. --------------
  96. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 20.02.2019 11:41
  97. Client Server Runtime Subsystem
  98. c:\programdata\windows\csrss.exe 20.02.2019 9:19
  99.  
  100. drop
  101. --------------
  102. %temp%\radFC88F.tmp
  103. %temp%\6893A5D897\cached-certs
  104. %temp%\6893A5D897\cached-microdesc-consensus
  105. %temp%\6893A5D897\cached-microdescs.new
  106. %temp%\6893A5D897\lock
  107. %temp%\6893A5D897\state
  108.  
  109. C:\ProgramData\Windows\csrss.exe
  110.  
  111.  
  112. # # #
  113. https://www.virustotal.com/#/file/b8700824303648e75c2c2e15619bb248998a702088588ee9c485f61b1d97871f/details
  114. https://www.virustotal.com/#/file/9041c928a89e19cbf0272a7ea5a77f6577aabec68ef7ff3c525b37eba38878a0/details
  115. https://www.virustotal.com/#/file/6cd9d0c1d6247c6acb1dafe5800194d284257a27dfe1107e077c488d883abac6/details
  116. https://analyze.intezer.com/#/analyses/a072f977-227b-40ea-ac12-d70d76e9e0aa
  117.  
  118. VR
  119.  
  120. @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement