SHARE
TWEET

#smokeloader_201119

VRad Nov 20th, 2019 (edited) 310 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #smokeloader #LZH #SCR #UPX
  2.  
  3. ID by help of @James_inthe_box
  4.  
  5. https://pastebin.com/BJzcXqkK
  6.  
  7. previous_contact:
  8. https://pastebin.com/kBW7nkZ5
  9. https://pastebin.com/Z7zq0YkW
  10. https://pastebin.com/b8PkhMyN
  11. https://pastebin.com/hkskwKvc
  12. https://pastebin.com/JmthzrL4
  13. https://pastebin.com/1scwT0f8
  14. https://pastebin.com/MP3kCSSh
  15.  
  16. FAQ:
  17. https://radetskiy.wordpress.com/2018/10/19/ioc_smokeloader_111018/
  18. https://research.checkpoint.com/2019-resurgence-of-smokeloader/
  19.  
  20. attack_vector
  21. --------------
  22. email attach .RAR > .LZH > SCR > explorer > taskeng > regsvr32 > Roaming\buhtujv
  23.  
  24. email_headers
  25. --------------
  26. Date: Wed, 20 Nov 2019 05:03:08 +0200
  27. Reply-To: alfredpinol@meta.ua
  28. Return-Path: <s.netluh@airport.lviv.ua>
  29. Received: from mx-out-2.default-host.net (mx-out-2.default-host.net [185.234.176.21])
  30. Received: from [127.0.0.1] (unknown [81.22.255.150]) by mx-out-2.default-host.net (Postfix) with ESMTPA id 08B9E12196B
  31. From: s.netluh@airport.lviv.ua
  32. Subject: Re: Задолжность за листопад
  33. X-Mailer: iPhone Mail (13E238)
  34. X-FEAS-CLIENT-IP: 185.234.176.21
  35.  
  36. files
  37. --------------
  38. SHA-256     cbe03fcaab00a2fa69a06ccfe4b9798c922a081befc4d6494b8b625290c458c1
  39. File name   рах.ф. до оплати за листопад за договором № 18-А.rar [RAR archive data, v8, os: OS/2 ]
  40. File size   282.66 KB (289446 bytes)
  41.  
  42. SHA-256     a95b23f00132f69eb562fb84bb88e75ce019105936daa1c82a4be6a464b56c96
  43. File name   рахунки до оплати за листопад.lzh  [LHa (2.x)/LHark archive data [lh7] - header level 0 ]
  44. File size   255.78 KB (261923 bytes)
  45.  
  46. SHA-256     9198dd9af0b3cd11ebe90d0e44e2d582688e6eeb62780b9f0bb40312cd9da49c
  47. File name   file.scr    [UPX, PE32 executable for MS Windows (GUI) Intel 80386 32-bit]
  48. File size   291.5 KB (298496 bytes)
  49.  
  50. SHA-256     b0adf16a99c3259fd571fbd22595cb4f8aae6fac347fd4e4eb1bae25eb3f0d6c
  51. File name   file_unpack.scr [PE32 executable for MS Windows (GUI) Intel 80386 32-bit ]
  52. File size   380.5 KB (389632 bytes)
  53.  
  54. SHA-256     8d16d5caad71aaaaa1479f8477d2928b66581c79932a49a21edf93db2803ab9c
  55. File name   ntdll.dll   [PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit ]
  56. File size   1.23 MB (1292192 bytes)
  57.  
  58. activity
  59. **************
  60. PL_SCR      attachment             
  61.  
  62. C2      manikurshoping{.}ru     194.15.36.70
  63.  
  64. netwrk
  65. --------------
  66. 194.15.36.70    manikurshoping.ru   POST / HTTP/1.1  (application/x-www-form-urlencoded)    Mozilla/5.0
  67.  
  68. comp
  69. --------------
  70. explorer.exe    194.15.36.70
  71.  
  72. proc
  73. --------------
  74. C:\Users\operator\Desktop\decoy.scr /S
  75. C:\Windows\SysWOW64\explorer.exe
  76. C:\Windows\system32\taskeng.exe {ID} S-1-5-21-...:APM11\operator:Interactive:LUA[1]
  77. C:\Windows\system32\regsvr32.EXE /s /n /u /i:"C:\Users\admin\AppData\Roaming\jugfabc" scrobj
  78. C:\Users\operator\AppData\Roaming\buhtujv
  79.  
  80. persist
  81. --------------
  82. n/a
  83.  
  84. drop
  85. --------------
  86. %temp%\****.tmp [ntdll.dll]
  87. operator\AppData\Roaming\buhtujv
  88.  
  89. # # #
  90. https://www.virustotal.com/gui/file/cbe03fcaab00a2fa69a06ccfe4b9798c922a081befc4d6494b8b625290c458c1/details
  91. https://www.virustotal.com/gui/file/a95b23f00132f69eb562fb84bb88e75ce019105936daa1c82a4be6a464b56c96/details
  92.  
  93. >UPX
  94. https://www.virustotal.com/gui/file/9198dd9af0b3cd11ebe90d0e44e2d582688e6eeb62780b9f0bb40312cd9da49c/details
  95. https://analyze.intezer.com/#/analyses/3871328f-1f63-4346-84a9-576c3361b561
  96.  
  97. >unpacked
  98. https://www.virustotal.com/gui/file/b0adf16a99c3259fd571fbd22595cb4f8aae6fac347fd4e4eb1bae25eb3f0d6c/details
  99. https://analyze.intezer.com/#/analyses/42fea4fa-aea6-4737-b826-d8adbb49b01e
  100.  
  101. >dll
  102. https://www.virustotal.com/gui/file/8d16d5caad71aaaaa1479f8477d2928b66581c79932a49a21edf93db2803ab9c/details
  103. https://analyze.intezer.com/#/analyses/b69fe4fb-3966-449e-a86b-e2eb4f529481
  104.  
  105. @ @ @
  106. meta
  107. --------------
  108. File Name                       : рах.ф. до оплати за листопад за договором № 18-А.rar
  109. Directory                       : .
  110. File Size                       : 283 kB
  111. File Modification Date/Time     : 2019:11:20 10:52:00+02:00
  112. File Access Date/Time           : 2019:11:20 11:14:49+02:00
  113. File Inode Change Date/Time     : 2019:11:20 11:14:34+02:00
  114. File Permissions                : rw-rw-rw-
  115. Error                           : File format error
  116.  
  117.  
  118. File Name                       : рахунки до оплати за листопад.lzh
  119. Directory                       : .
  120. File Size                       : 256 kB
  121. File Modification Date/Time     : 2019:11:20 03:03:36+02:00
  122. File Access Date/Time           : 2019:11:20 10:53:26+02:00
  123. File Inode Change Date/Time     : 2019:11:20 10:53:03+02:00
  124. File Permissions                : rw-rw-r--
  125. Error                           : Unknown file type
  126.  
  127.  
  128. File Name                       : decoy_upx.scr
  129. File Size                       : 292 kB
  130. File Modification Date/Time     : 2019:11:20 02:11:22+02:00
  131. File Access Date/Time           : 2019:11:20 11:05:27+02:00
  132. File Inode Change Date/Time     : 2019:11:20 11:05:27+02:00
  133. File Permissions                : rw-------
  134. File Type                       : Win32 EXE
  135. File Type Extension             : exe
  136. MIME Type                       : application/octet-stream
  137. Machine Type                    : Intel 386 or later, and compatibles
  138. Time Stamp                      : 2019:11:20 02:11:19+02:00
  139. PE Type                         : PE32
  140. Language Code                   : English (U.S.)
  141. Character Set                   : Unicode
  142. Legal Copyright                 : Copyright ©OVH. 1999 - 2014
  143. Original File Name              : ParasitesSenders.exe
  144. File Description                : Spending Cres Rdn Cascading
  145. Company Name                    : OVH
  146. Languages                       : English
  147. Product Name                    : ParasitesSenders
  148. Product Version                 : 3.8.6.2
  149.  
  150.  
  151. File Name                       : decoy_unpack.exe
  152. File Size                       : 380 kB
  153. File Modification Date/Time     : 2019:11:20 02:11:22+02:00
  154. File Access Date/Time           : 2019:11:20 11:35:53+02:00
  155. File Inode Change Date/Time     : 2019:11:20 11:35:50+02:00
  156. File Permissions                : rw-------
  157. File Type                       : Win32 EXE
  158. File Type Extension             : exe
  159. MIME Type                       : application/octet-stream
  160. Machine Type                    : Intel 386 or later, and compatibles
  161. Time Stamp                      : 2019:11:20 02:11:19+02:00
  162. PE Type                         : PE32
  163. Language Code                   : English (U.S.)
  164. Character Set                   : Unicode
  165. Legal Copyright                 : Copyright ©OVH. 1999 - 2014
  166. Original File Name              : ParasitesSenders.exe
  167. File Description                : Spending Cres Rdn Cascading
  168. Company Name                    : OVH
  169. Languages                       : English
  170. Product Name                    : ParasitesSenders
  171. Product Version                 : 3.8.6.2
  172.  
  173.  
  174. ExifTool Version Number         : 10.10
  175. File Name                       : table_clean.xls
  176. File Size                       : 42 kB
  177. File Modification Date/Time     : 2019:11:19 02:47:30+02:00
  178. File Access Date/Time           : 2019:11:20 11:14:34+02:00
  179. File Inode Change Date/Time     : 2019:11:20 11:04:30+02:00
  180. File Permissions                : rw-------
  181. File Type                       : XLS
  182. File Type Extension             : xls
  183. MIME Type                       : application/vnd.ms-excel
  184. Author                          : VIP9
  185. Last Modified By                : RePack by Diakov
  186. Software                        : Microsoft Excel
  187. Last Printed                    : 2018:02:20 08:54:41
  188. Create Date                     : 2016:11:20 11:19:57
  189. Modify Date                     : 2019:11:19 00:47:28
  190. Security                        : None
  191. Code Page                       : Windows Cyrillic
  192. Company                         : Grizli777
  193. App Version                     : 14.0000
  194. Scale Crop                      : No
  195. Links Up To Date                : No
  196. Shared Doc                      : No
  197. Hyperlinks Changed              : No
  198. Title Of Parts                  : остатки кукуруза, остатки соя, 'остатки кукуруза'!Область_печати
  199. Heading Pairs                   : Листы, 2, Именованные диапазоны, 1
  200.  
  201.  
  202. File Name                       : Яковлева копия для договора.jpg
  203. Directory                       : .
  204. File Size                       : 27 kB
  205. File Modification Date/Time     : 2018:03:13 09:15:56+02:00
  206. File Access Date/Time           : 2019:11:20 10:53:20+02:00
  207. File Inode Change Date/Time     : 2019:11:20 10:53:03+02:00
  208. File Permissions                : rw-rw-r--
  209. File Type                       : JPEG
  210. File Type Extension             : jpg
  211. MIME Type                       : image/jpeg
  212. JFIF Version                    : 1.01
  213. Exif Byte Order                 : Big-endian (Motorola, MM)
  214. X Resolution                    : 37.795
  215. Y Resolution                    : 37.795
  216. Resolution Unit                 : cm
  217. Software                        : paint.net 4.0.4
  218. Image Width                     : 800
  219. Image Height                    : 559
  220. Encoding Process                : Baseline DCT, Huffman coding
  221. Bits Per Sample                 : 8
  222. Color Components                : 3
  223. Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
  224. Image Size                      : 800x559
  225. Megapixels                      : 0.447
  226.  
  227.  
  228.  
  229. VR
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top