#smokeloader_290523

#IOC #OptiData #VR #smokeloader #ZIP #HTML #JS

https://pastebin.com/AayUSaXq

previous_contact:
https://pastebin.com/RDVXCe0J
https://pastebin.com/QpG70u8T
https://pastebin.com/BJzcXqkK
https://pastebin.com/kBW7nkZ5
https://pastebin.com/Z7zq0YkW
https://pastebin.com/b8PkhMyN
https://pastebin.com/hkskwKvc
https://pastebin.com/JmthzrL4
https://pastebin.com/1scwT0f8
https://pastebin.com/MP3kCSSh

FAQ:
https://radetskiy.wordpress.com/2018/10/19/ioc_smokeloader_111018/
https://research.checkpoint.com/2019-resurgence-of-smokeloader/

attack_vector
--------------
email attach .zip1 > .html > .zip2 > JS > WSH > cmd > PowerShell > GET 1URL > exe


# # # # # # # #
email_headers
# # # # # # # #
Received: from ds103.mirohost.net (ds103.mirohost.net [89.184.69.128])
Received: from 31-43-15-226.dks.com.ua ([31.43.15.226]:16605 helo=[127.0.0.1])
Reply-To: [email protected]
From: Глав Бух <[email protected]>
Subject: Рахунок до оплати
Message-Id: <[email protected]>
Date: Mon, 29 May 2023 02:51:23 +0300
X-Mailer: iPhone Mail (13E238)


# # # # # # # #
other_senders
# # # # # # # #

ivalyaeva[@]medsklad[.]dp.ua
buh_hm[@]tlauto.com[.]ua
inbox2[@]kirrda.kr-admin.gov[.]ua
count[@]khustpharm.com[.]ua
viktor[@]promarma.com[.]ua
chancellory[@]kyiv.e-u.in[.]ua


# # # # # # # #
files
# # # # # # # #
SHA-256		5c85249d375a3a38e87a45857c069c6710caef1e521194eed1b4c1ff463e5b0b
File name	акт_звірки_рахунки.zip  [Zip archive data]
File size	19.73 KB (20205 bytes)

SHA-256		c32974b865152c6ca3c5f0cc787319dfc2b32ea1bebc1f37f6c36d2ca75439c8
File name	акт_звірки_та_рахунки.html  [HTML document, Unicode text]
File size	19.51 KB (19983 bytes)

SHA-256		b9e7780b1bf98b1f2e0fd25c793530891bbb678da743be6229d3466234c9e56c
File name	акт_звірки_та_рахунки.zip   [Zip archive data]
File size	5.98 KB (6128 bytes)

SHA-256		51073b3884699eb4779004ab08d793635f3913c36139bce9ff0aead9f383849c
File name	акт_звірки_від_05_2023р.js (рахунок_№415_2023.js , рахунок_№416_2023.js)    [ JavaScript ]
File size	4.54 KB (4644 bytes)

SHA-256		6667500156d0b0d81fb98d32794c8c50de82fc915d2a59780e9b6e1b9f78ada7
File name	renew.exe   (TempuwN57.exe) [ PE32 executable (GUI)]
File size	326.50 KB (334336 bytes)


# # # # # # # #
activity
# # # # # # # #

PL_SCR      http://premiumjeck.site/one/renew.exe   [176.124.193.111]


C2

polinamailserverip[ .ru/
lamazone[ .site/
criticalosl[ .tech/
maximprofile[ .net/
zaliphone[ .com/
humanitarydp[ .ug/
zaikaopentra[ .com.ug/
zaikaopentra-com-ug[ .online/
infomalilopera[ .ru/
jskgdhjkdfhjdkjhd844[ .ru/
jkghdj2993jdjjdjd[ .ru/
kjhgdj99fuller[ .ru/
azartnyjboy[ .com/
zalamafiapopcultur[ .eu/
hopentools[ .site/
kismamabeforyougo[ .com/
kissmafiabeforyoudied[ .eu/
gondurasonline[ .ug/
nabufixservice[ .name/
filterfullproperty[ .ru/
alegoomaster[ .com/
freesitucionap[ .com/
droopily[ .eu/
prostotaknet[ .net/
zakolibal[ .online/
verycheap[ .store/


netwrk
--------------
176.124.193.111	premiumjeck.site		80	HTTP	GET /one/renew.exe HTTP/1.1 	Google Chrome


comp
--------------


proc
--------------


persist
--------------
n/a


drop
--------------
C:\Users\%username%\AppData\Local\TempuwN57.exe


# # # # # # # #
additional info
# # # # # # # #
n/a


# # # # # # # #
VT & Intezer
# # # # # # # #
https://www.virustotal.com/gui/file/5c85249d375a3a38e87a45857c069c6710caef1e521194eed1b4c1ff463e5b0b/details
https://www.virustotal.com/gui/file/c32974b865152c6ca3c5f0cc787319dfc2b32ea1bebc1f37f6c36d2ca75439c8/details
https://www.virustotal.com/gui/file/b9e7780b1bf98b1f2e0fd25c793530891bbb678da743be6229d3466234c9e56c/details
https://www.virustotal.com/gui/file/51073b3884699eb4779004ab08d793635f3913c36139bce9ff0aead9f383849c/details
https://analyze.intezer.com/analyses/d229d44a-c9b0-4edc-acc7-eb53db8c0035/behavior
https://www.virustotal.com/gui/file/6667500156d0b0d81fb98d32794c8c50de82fc915d2a59780e9b6e1b9f78ada7/details
https://analyze.intezer.com/analyses/69caff4b-913e-4b7d-a80c-a763bcdf461f

VR