Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #shade #troldesh #WSH #passwd_RAR
- https://pastebin.com/J1Mx2CaB
- previous contact:
- 25/02/18 https://pastebin.com/vMUxTH8C
- 20/02/18 https://pastebin.com/4XDjjWZh
- 28/12/18 https://pastebin.com/E3isAsmV
- 26/12/18 https://pastebin.com/kx8Y0XzR
- 25/12/18 https://pastebin.com/xNRiz3QW
- 24/12/18 https://pastebin.com/mMMZe73m
- FAQ:
- https://radetskiy.wordpress.com/2019/01/31/shade_ransom/
- https://radetskiy.wordpress.com/2018/09/12/ioc_troldesh_ransom_120918/
- attack_vector
- --------------
- email attach (RAR) > pass > JS > WSH > GET .mpwq > %temp%\*.tmp
- email_headers
- --------------
- Received: from hr3740149012.reseller.mis.ovh.net (mail.kesako.net [213.32.30.206])
- by srv8.victim0.com for <user00@org88.victim0.com>; (envelope-from rachel@uzino.com)
- Received: from COMPUTER (unknown [37.235.236.145]) by hr3740149012.reseller.mis.ovh.net (Postfix)
- From: Некрасов <rachel@uzino.com>
- Reply-To: Некрасов <rachel@uzino.com>
- To: user00@org88.victim0.com
- Subject: информация о заказе
- Date: Tue, 19 Mar 2019 16:14:47 +0200 (EET)
- files
- --------------
- SHA-256 7955a4fca5ec7faa32bc703432840a9cfed5a8a48bccc511eccec2f587ca491e
- File name ut_air.rar [RAR archive data, v6,]
- File size 2.59 KB (2652 bytes)
- SHA-256 efa3dd81eb0506bccd52bfda687f7131f299e0ec3c125f98cbd523a2945fe65c
- File name Подробности заказа ПАО «Авиакомпания „ЮТэйр“».js [ASCII text]
- File size 4.55 KB (4662 bytes)
- SHA-256 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38
- File name gr.mpwq [PE32 executable (GUI) Intel 80386, for MS Windows]
- File size 1.12 MB (1175304 bytes)
- activity
- **************
- PL_SRC:
- http://salezietes{.} lt/webanalyze/gr.mpwq
- netwrk
- --------------
- http.request.method == GET
- 79.98.24.20 salezietes{.} lt GET /webanalyze/gr.mpwq HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1;
- ssl
- 194.109.206.212 www.yvv4v5kkhktzygyhj4i6l3sc.com Client Hello
- comp
- --------------
- wscript.exe 1672 TCP localhost 49511 79.98.24.20 80 ESTABLISHED
- radDAD3D.tmp 2264 TCP localhost 49512 localhost 49513 ESTABLISHED
- radDAD3D.tmp 2264 TCP localhost 49513 localhost 49512 ESTABLISHED
- radDAD3D.tmp 2264 TCP localhost 49514 194.109.206.212 443 ESTABLISHED
- radDAD3D.tmp 2264 TCP localhost 49515 154.35.32.5 443 SYN_SENT
- radDAD3D.tmp 2264 TCP localhost 49516 78.129.150.54 9001 ESTABLISHED
- radDAD3D.tmp 2264 TCP localhost 49517 40.89.186.165 9001 ESTABLISHED
- radDAD3D.tmp 2264 TCP localhost 49518 138.201.83.171 9001 ESTABLISHED
- proc
- --------------
- "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\Подробности заказа ПАО «Авиакомпания „ЮТэйр“».js"
- "C:\Windows\System32\cmd.exe" /c %temp%\radDAD3D.tmp
- %temp%\radDAD3D.tmp
- C:\Windows\system32\vssadmin.exe List Shadows
- "C:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
- persist
- --------------
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 19.03.2019 14:19
- Client Server Runtime Subsystem Total Commander 32bit->64bit helper tool Ghisler Software GmbH
- c:\programdata\windows\csrss.exe 21.03.2019 1:10
- drop
- --------------
- %temp%\6893A5D897\cached-certs
- %temp%\6893A5D897\cached-microdesc-consensus
- %temp%\6893A5D897\lock
- %temp%\6893A5D897\state
- %temp%\radDAD3D.tmp
- C:\ProgramData\Windows\csrss.exe
- # # #
- https://www.virustotal.com/gui/file/7955a4fca5ec7faa32bc703432840a9cfed5a8a48bccc511eccec2f587ca491e/details
- https://www.virustotal.com/gui/file/efa3dd81eb0506bccd52bfda687f7131f299e0ec3c125f98cbd523a2945fe65c/details
- https://www.virustotal.com/gui/file/01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38/details
- https://analyze.intezer.com/#/analyses/ba0e854a-9108-46dc-bfc0-b7b3fbfff2c5
- VR
- @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement