SHARE
TWEET

#troldesh_200219

VRad Feb 20th, 2019 (edited) 8,378 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #shade #troldesh #WSH #ZIP
  2.  
  3. https://pastebin.com/4XDjjWZh
  4.  
  5. previous contact:
  6. 28/12/18    https://pastebin.com/E3isAsmV
  7. 26/12/18        https://pastebin.com/kx8Y0XzR
  8. 25/12/18        https://pastebin.com/xNRiz3QW
  9. 24/12/18        https://pastebin.com/mMMZe73m
  10.  
  11. FAQ:
  12. https://radetskiy.wordpress.com/2019/01/31/shade_ransom/
  13. https://radetskiy.wordpress.com/2018/09/12/ioc_troldesh_ransom_120918/
  14.  
  15. attack_vector
  16. --------------
  17. email URL > GET .ZIP > JS > WSH > GET .jpg > %temp%\*.tmp
  18.  
  19. email_headers
  20. --------------
  21. Received: from [::1] (port=56724 helo=mjail2.freenet.de)
  22.     by mjail2.freenet.de with esmtpa (ID voneyss@freenet.de) (Exim 4.90_1 #2)
  23. Received: from [195.4.92.165] (helo=mjail2.freenet.de)
  24.     by mout0.freenet.de with esmtpa (ID voneyss@freenet.de) (port 25) (Exim 4.90_1 #2)
  25. Received: from [81.18.133.6] (port=50083 helo=COMPUTER)
  26.     by sub5.freenet.de with esmtpsa (ID voneyss@freenet.de) (port 465) (Exim 4.90_1 #2)
  27. Received: from sub5.freenet.de ([195.4.92.124]:36652)
  28.     by mjail2.freenet.de with esmtpa (ID voneyss@freenet.de) (Exim 4.90_1 #2)
  29. Reply-To: Мельников <voneyss@freenet.de>
  30. From: Мельников <voneyss@freenet.de>
  31. To: <user0@victim1.com>
  32. Subject: относительно заказа
  33. Date: Wed, 20 Feb 2019 10:49:56 +0200
  34.  
  35. files
  36. --------------
  37. SHA-256 b8700824303648e75c2c2e15619bb248998a702088588ee9c485f61b1d97871f
  38. File name   pik.zip         [Zip archive data, at least v2.0 to extract]
  39. File size   3.59 KB
  40.  
  41. SHA-256 9041c928a89e19cbf0272a7ea5a77f6577aabec68ef7ff3c525b37eba38878a0
  42. File name   ПАО «Группа Компаний ПИК» подробности заказа.js      [ASCII text]
  43. File size   7.13 KB
  44.  
  45. SHA-256 6cd9d0c1d6247c6acb1dafe5800194d284257a27dfe1107e077c488d883abac6
  46. File name   msg.jpg         [PE32 executable (GUI) Intel 80386, for MS Windows]
  47. File size   1.36 MB
  48.  
  49. activity
  50. **************
  51. PL_SRC:
  52.  
  53. http://koharu2007.com/images/pik.zip
  54. http://haglfurniture.vn/templates/dogo/html/com_contact/contact/msg.jpg
  55.  
  56. netwrk
  57. --------------
  58. http.request.method == GET
  59.  
  60. 103.3.245.248   haglfurniture.vn    GET /templates/dogo/html/com_contact/contact/msg.jpg    Mozilla/4.0
  61. 104.16.154.36   whatismyipaddress.com   GET /                           Mozilla/5.0
  62. 104.18.34.131   whatsmyip.net       GET /                           Mozilla/5.0
  63.  
  64. ssl
  65. 81.17.30.33 www.vztjioj3xsucc.com       Client Hello
  66. 82.192.94.125   www.qgyr.com            Client Hello
  67. 131.188.40.189  www.52e5xr5y7n72exom.com    Client Hello
  68.  
  69. comp
  70. --------------
  71. wscript.exe 1696    TCP loclahost   49214   103.3.245.248   80  ESTABLISHED
  72.  
  73. radFC88F.tmp    2316    TCP loclahost   49215   loclahost   49216   ESTABLISHED
  74. radFC88F.tmp    2316    TCP loclahost   49217   131.188.40.189  443 ESTABLISHED
  75. radFC88F.tmp    2316    TCP loclahost   49218   128.31.0.39 9101    ESTABLISHED
  76. radFC88F.tmp    2316    TCP loclahost   49219   82.192.94.125   443 ESTABLISHED
  77. radFC88F.tmp    2316    TCP loclahost   49220   81.17.30.33 443 ESTABLISHED
  78. radFC88F.tmp    2316    TCP loclahost   49221   173.249.25.217  9001    ESTABLISHED
  79.  
  80. proc
  81. --------------
  82. C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\ПАО «Группа Компаний ПИК» подробности заказа.js
  83. C:\Windows\System32\cmd.exe" /c C:\tmp\radFC88F.tmp
  84. C:\tmp\radFC88F.tmp
  85. C:\Windows\system32\vssadmin.exe List Shadows
  86. C:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
  87. C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
  88.  
  89. C:\Windows\system32\taskhost.exe $(Arg0)
  90. C:\Windows\system32\vssvc.exe
  91.  
  92. C:\Windows\system32\svchost.exe -k DcomLaunch
  93. C:\Windows\System32\mobsync.exe -Embedding
  94.  
  95. persist
  96. --------------
  97. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run              20.02.2019 11:41   
  98. Client Server Runtime Subsystem        
  99. c:\programdata\windows\csrss.exe    20.02.2019 9:19
  100.  
  101. drop
  102. --------------
  103. %temp%\radFC88F.tmp
  104. %temp%\6893A5D897\cached-certs
  105. %temp%\6893A5D897\cached-microdesc-consensus
  106. %temp%\6893A5D897\cached-microdescs.new
  107. %temp%\6893A5D897\lock
  108. %temp%\6893A5D897\state
  109.  
  110. C:\ProgramData\Windows\csrss.exe
  111.  
  112.  
  113. # # #
  114. https://www.virustotal.com/#/file/b8700824303648e75c2c2e15619bb248998a702088588ee9c485f61b1d97871f/details
  115. https://www.virustotal.com/#/file/9041c928a89e19cbf0272a7ea5a77f6577aabec68ef7ff3c525b37eba38878a0/details
  116. https://www.virustotal.com/#/file/6cd9d0c1d6247c6acb1dafe5800194d284257a27dfe1107e077c488d883abac6/details
  117. https://analyze.intezer.com/#/analyses/a072f977-227b-40ea-ac12-d70d76e9e0aa
  118.  
  119. VR
  120.  
  121. @
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top