Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #smokeloader #lzh #pdf #RARsfx #packed
- https://pastebin.com/GMwv38g4
- previous_contact:
- https://pastebin.com/DgFvarG0
- https://pastebin.com/AayUSaXq
- https://pastebin.com/RDVXCe0J
- https://pastebin.com/QpG70u8T
- https://pastebin.com/BJzcXqkK
- https://pastebin.com/kBW7nkZ5
- https://pastebin.com/Z7zq0YkW
- https://pastebin.com/b8PkhMyN
- https://pastebin.com/hkskwKvc
- https://pastebin.com/JmthzrL4
- https://pastebin.com/1scwT0f8
- https://pastebin.com/MP3kCSSh
- FAQ:
- https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader
- https://malpedia.caad.fkie.fraunhofer.de/details/win.xorist
- https://radetskiy.wordpress.com/2018/10/19/ioc_smokeloader_111018/
- attack_vector
- --------------
- email attach .lzh1 > .lzh2 > .exe > .pdf > .bat > execute .jpg [smokeloader]
- # # # # # # # #
- email_headers
- # # # # # # # #
- Received: from mail.agm.kh.ua (88.198.13.209)
- Received: from [194.187.111.205] (helo=[127.0.0.1]) by mail.agm.kh.ua with esmtpa (Exim 4.92)
- From: ДПС Украiни gov.ua <account@agm.kh.ua>
- Subject: Помилкове зарахування вiд 15.08.2023p.
- Date: Thu, 17 Aug 2023 06:39:29 +0000
- Message-ID: <B747255F-388A-4DC0-F86A-B3D475A42CF8@agm.kh.ua>
- Reply-To: "svyvanyaukr@meta.ua" <svyvanyaukr@meta.ua >
- # # # # # # # #
- files
- # # # # # # # #
- SHA-256 eaaef25918f5de5a755c88813cba1ae5da87d98d49f903ed88ddd6f33029828d
- File name Платiжна iнструкцiя Код документа 9312_0580_6944_3255.Archive.lzh [ LHARK ]
- File size 397.05 KB (406575 bytes)
- SHA-256 1409d44a8858a7ecd81e8eceab7314dee31e1f7622cc780df4adb68d71998494
- File name 1.Платiжна iнструкцiя Код документа 9312_0580_6944_3255 [ LHARK ]
- File size 396.35 KB (405861 bytes)
- SHA-256 c8286ba2b48eded78d0f168a63a1da3311f298eecf95eb6de3de09ee18060fe6
- File name 1.Платiжна iнструкцiя Код документа 9312_0580_6944_3255.pdf.exe [ WinRAR Self Extracting ]
- File size 375.74 KB (384754 bytes)
- SHA-256 edfc02f5bb09b2c3871148d13f4bdcc2aa5444aa4dac170c8ab3342e353ce71a
- File name Payment_9312_0580_6944_3255.pdf [ PDF document, version 1.4 ] - clean, decoy
- File size 96.78 KB (99100 bytes)
- SHA-256 0f438d68adc2af0ecafaacd25f42437d45fbe07ca4660bbec14ef246c57c7837
- File name Payment_9312_0580_6944_3255.bat [ ASCII text ]
- File size 45 B (45 bytes)
- SHA-256 521526a7850de04b3cf1f592b932621a59e5af4b8d56e258443994edd42dbbce
- File name Pax_9312_0580_6944_3255_15.08.2023p.jpg [ PE32 executable (GUI) Intel 80386 ]
- File size 232.50 KB (238080 bytes)
- # # # # # # # #
- activity
- # # # # # # # #
- PL_SCR email_attach
- C2
- metallergroup{ .ru/
- infomailforyoumak{ .ru/
- coinmakopenarea{ .su/
- internetcygane{ .ru/
- zallesman{ .ru/
- maxteroper{ .ru/
- kilomunara{ .com/
- napropertyhub{ .eu/
- nafillimonilini{ .net/
- goodlenuxilam{ .site/
- jimloamfilling{ .online/
- vertusupportjk{ .org/
- liverpulapp{ .ru/
- zarabovannyok{ .eu/
- cityofuganda{ .ug/
- hillespostelnm{ .eu/
- humanitarydp{ .ru/
- zaikaopentra{ .com.ru/
- zaikaopentra-com-ug{ .su/
- jslopasitmon{ .com/
- zaikadoctor{ .ru/
- sismasterhome{ .ru/
- supermarioprohozhdenie{ .ru/
- krasavchikoleg{ .net/
- samoramertut{ .ru/
- polinamailserverip{ .ru/
- lamazone{ .site/
- criticalosl{ .tech/
- maximprofile{ .net/
- kismamabeforyougo{ .ru/
- kissmafiabeforyoudied{ .ru/
- gondurasonline{ .ru/
- netwrk
- --------------
- 185.244.183.112 metallergroup{ .ru 80 HTTP POST / HTTP/1.1 Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
- 185.244.183.112 internetcygane{ .ru 80 HTTP POST / HTTP/1.1 Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
- 195.123.219.57 maximprofile{ .net 80 HTTP POST / HTTP/1.1 Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
- 185.244.183.112 jskgdhjkdfhjdkjhd844{ .ru 80 HTTP POST / HTTP/1.1 Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
- 195.123.219.57 azartnyjboy{ .com 80 HTTP POST / HTTP/1.1 Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
- 195.123.219.57 alegoomaster{ .com 80 HTTP POST / HTTP/1.1 Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
- 195.123.219.57 freesitucionap{ .com 80 HTTP POST / HTTP/1.1 Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
- comp
- --------------
- n/a
- proc
- --------------
- C:\Users\operator\Desktop\1.Платiжна iнструкцiя Код документа 9312_0580_6944_3255.pdf.exe
- "C:\Program Files\PDF\PDFXCview.exe" "C:\Users\operator\Desktop\Payment_9312_0580_6944_3255.pdf"
- C:\Windows\SysWOW64\cmd.exe /c ""C:\Users\operator\Desktop\Payment_9312_0580_6944_3255.bat" "
- C:\Users\operator\Desktop\Pax_9312_0580_6944_3255_15.08.2023p.jpg
- persist
- --------------
- n/a
- drop
- --------------
- %userprofile%\Payment_9312_0580_6944_3255.pdf
- %userprofile%\Payment_9312_0580_6944_3255.bat
- # # # # # # # #
- additional info
- # # # # # # # #
- n/a
- # # # # # # # #
- VT & Intezer
- # # # # # # # #
- https://www.virustotal.com/gui/file/eaaef25918f5de5a755c88813cba1ae5da87d98d49f903ed88ddd6f33029828d/details
- https://www.virustotal.com/gui/file/1409d44a8858a7ecd81e8eceab7314dee31e1f7622cc780df4adb68d71998494/details
- https://www.virustotal.com/gui/file/c8286ba2b48eded78d0f168a63a1da3311f298eecf95eb6de3de09ee18060fe6/details
- https://analyze.intezer.com/analyses/0a484735-b3dc-49af-8a2f-e0af14b5bc54
- https://www.virustotal.com/gui/file/edfc02f5bb09b2c3871148d13f4bdcc2aa5444aa4dac170c8ab3342e353ce71a/details
- https://www.virustotal.com/gui/file/0f438d68adc2af0ecafaacd25f42437d45fbe07ca4660bbec14ef246c57c7837/details
- https://www.virustotal.com/gui/file/521526a7850de04b3cf1f592b932621a59e5af4b8d56e258443994edd42dbbce/details
- https://analyze.intezer.com/analyses/dffc731b-01d6-4355-8ac0-50e59f6828ad
- VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
