Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #smokeloader #ZIP #HTML #JS
- https://pastebin.com/AayUSaXq
- previous_contact:
- https://pastebin.com/RDVXCe0J
- https://pastebin.com/QpG70u8T
- https://pastebin.com/BJzcXqkK
- https://pastebin.com/kBW7nkZ5
- https://pastebin.com/Z7zq0YkW
- https://pastebin.com/b8PkhMyN
- https://pastebin.com/hkskwKvc
- https://pastebin.com/JmthzrL4
- https://pastebin.com/1scwT0f8
- https://pastebin.com/MP3kCSSh
- FAQ:
- https://radetskiy.wordpress.com/2018/10/19/ioc_smokeloader_111018/
- https://research.checkpoint.com/2019-resurgence-of-smokeloader/
- attack_vector
- --------------
- email attach .zip1 > .html > .zip2 > JS > WSH > cmd > PowerShell > GET 1URL > exe
- # # # # # # # #
- email_headers
- # # # # # # # #
- Received: from ds103.mirohost.net (ds103.mirohost.net [89.184.69.128])
- Received: from 31-43-15-226.dks.com.ua ([31.43.15.226]:16605 helo=[127.0.0.1])
- Reply-To: otspotartm@ukr.net
- From: Глав Бух <chancellory@kyiv.e-u.in.ua>
- Subject: Рахунок до оплати
- Message-Id: <1AB47DD9-5AD1-2AA8-9373-20FE929FD5D9@kyiv.e-u.in.ua>
- Date: Mon, 29 May 2023 02:51:23 +0300
- X-Mailer: iPhone Mail (13E238)
- # # # # # # # #
- other_senders
- # # # # # # # #
- ivalyaeva[@]medsklad[.]dp.ua
- buh_hm[@]tlauto.com[.]ua
- inbox2[@]kirrda.kr-admin.gov[.]ua
- count[@]khustpharm.com[.]ua
- viktor[@]promarma.com[.]ua
- chancellory[@]kyiv.e-u.in[.]ua
- # # # # # # # #
- files
- # # # # # # # #
- SHA-256 5c85249d375a3a38e87a45857c069c6710caef1e521194eed1b4c1ff463e5b0b
- File name акт_звірки_рахунки.zip [Zip archive data]
- File size 19.73 KB (20205 bytes)
- SHA-256 c32974b865152c6ca3c5f0cc787319dfc2b32ea1bebc1f37f6c36d2ca75439c8
- File name акт_звірки_та_рахунки.html [HTML document, Unicode text]
- File size 19.51 KB (19983 bytes)
- SHA-256 b9e7780b1bf98b1f2e0fd25c793530891bbb678da743be6229d3466234c9e56c
- File name акт_звірки_та_рахунки.zip [Zip archive data]
- File size 5.98 KB (6128 bytes)
- SHA-256 51073b3884699eb4779004ab08d793635f3913c36139bce9ff0aead9f383849c
- File name акт_звірки_від_05_2023р.js (рахунок_№415_2023.js , рахунок_№416_2023.js) [ JavaScript ]
- File size 4.54 KB (4644 bytes)
- SHA-256 6667500156d0b0d81fb98d32794c8c50de82fc915d2a59780e9b6e1b9f78ada7
- File name renew.exe (TempuwN57.exe) [ PE32 executable (GUI)]
- File size 326.50 KB (334336 bytes)
- # # # # # # # #
- activity
- # # # # # # # #
- PL_SCR http://premiumjeck.site/one/renew.exe [176.124.193.111]
- C2
- polinamailserverip[ .ru/
- lamazone[ .site/
- criticalosl[ .tech/
- maximprofile[ .net/
- zaliphone[ .com/
- humanitarydp[ .ug/
- zaikaopentra[ .com.ug/
- zaikaopentra-com-ug[ .online/
- infomalilopera[ .ru/
- jskgdhjkdfhjdkjhd844[ .ru/
- jkghdj2993jdjjdjd[ .ru/
- kjhgdj99fuller[ .ru/
- azartnyjboy[ .com/
- zalamafiapopcultur[ .eu/
- hopentools[ .site/
- kismamabeforyougo[ .com/
- kissmafiabeforyoudied[ .eu/
- gondurasonline[ .ug/
- nabufixservice[ .name/
- filterfullproperty[ .ru/
- alegoomaster[ .com/
- freesitucionap[ .com/
- droopily[ .eu/
- prostotaknet[ .net/
- zakolibal[ .online/
- verycheap[ .store/
- netwrk
- --------------
- 176.124.193.111 premiumjeck.site 80 HTTP GET /one/renew.exe HTTP/1.1 Google Chrome
- comp
- --------------
- proc
- --------------
- persist
- --------------
- n/a
- drop
- --------------
- C:\Users\%username%\AppData\Local\TempuwN57.exe
- # # # # # # # #
- additional info
- # # # # # # # #
- n/a
- # # # # # # # #
- VT & Intezer
- # # # # # # # #
- https://www.virustotal.com/gui/file/5c85249d375a3a38e87a45857c069c6710caef1e521194eed1b4c1ff463e5b0b/details
- https://www.virustotal.com/gui/file/c32974b865152c6ca3c5f0cc787319dfc2b32ea1bebc1f37f6c36d2ca75439c8/details
- https://www.virustotal.com/gui/file/b9e7780b1bf98b1f2e0fd25c793530891bbb678da743be6229d3466234c9e56c/details
- https://www.virustotal.com/gui/file/51073b3884699eb4779004ab08d793635f3913c36139bce9ff0aead9f383849c/details
- https://analyze.intezer.com/analyses/d229d44a-c9b0-4edc-acc7-eb53db8c0035/behavior
- https://www.virustotal.com/gui/file/6667500156d0b0d81fb98d32794c8c50de82fc915d2a59780e9b6e1b9f78ada7/details
- https://analyze.intezer.com/analyses/69caff4b-913e-4b7d-a80c-a763bcdf461f
- VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement