#troldesh_190319

1. #IOC #OptiData #VR #shade #troldesh #WSH #passwd_RAR
2.  
3. https://pastebin.com/J1Mx2CaB
4.  
5. previous contact:
6. 25/02/18 https://pastebin.com/vMUxTH8C
7. 20/02/18 https://pastebin.com/4XDjjWZh
8. 28/12/18 https://pastebin.com/E3isAsmV
9. 26/12/18 https://pastebin.com/kx8Y0XzR
10. 25/12/18 https://pastebin.com/xNRiz3QW
11. 24/12/18 https://pastebin.com/mMMZe73m
12.  
13. FAQ:
14. https://radetskiy.wordpress.com/2019/01/31/shade_ransom/
15. https://radetskiy.wordpress.com/2018/09/12/ioc_troldesh_ransom_120918/
16.  
17. attack_vector
18. --------------
19. email attach (RAR) > pass > JS > WSH > GET .mpwq > %temp%\*.tmp
20.  
21. email_headers
22. --------------
23. Received: from hr3740149012.reseller.mis.ovh.net (mail.kesako.net [213.32.30.206])
24. by srv8.victim0.com for <user00@org88.victim0.com>; (envelope-from rachel@uzino.com)
25. Received: from COMPUTER (unknown [37.235.236.145]) by hr3740149012.reseller.mis.ovh.net (Postfix)
26. From: Некрасов <rachel@uzino.com>
27. Reply-To: Некрасов <rachel@uzino.com>
28. To: user00@org88.victim0.com
29. Subject: информация о заказе
30. Date: Tue, 19 Mar 2019 16:14:47 +0200 (EET)
31.  
32. files
33. --------------
34. SHA-256 7955a4fca5ec7faa32bc703432840a9cfed5a8a48bccc511eccec2f587ca491e
35. File name ut_air.rar [RAR archive data, v6,]
36. File size 2.59 KB (2652 bytes)
37.  
38. SHA-256 efa3dd81eb0506bccd52bfda687f7131f299e0ec3c125f98cbd523a2945fe65c
39. File name Подробности заказа ПАО «Авиакомпания „ЮТэйр“».js [ASCII text]
40. File size 4.55 KB (4662 bytes)
41.  
42. SHA-256 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38
43. File name gr.mpwq [PE32 executable (GUI) Intel 80386, for MS Windows]
44. File size 1.12 MB (1175304 bytes)
45.  
46. activity
47. **************
48. PL_SRC:
49. http://salezietes{.} lt/webanalyze/gr.mpwq
50.  
51. netwrk
52. --------------
53. http.request.method == GET
54. 79.98.24.20 salezietes{.} lt GET /webanalyze/gr.mpwq HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1;
55.  
56. ssl
57. 194.109.206.212 www.yvv4v5kkhktzygyhj4i6l3sc.com Client Hello
58.  
59. comp
60. --------------
61. wscript.exe 1672 TCP localhost 49511 79.98.24.20 80 ESTABLISHED
62. radDAD3D.tmp 2264 TCP localhost 49512 localhost 49513 ESTABLISHED
63. radDAD3D.tmp 2264 TCP localhost 49513 localhost 49512 ESTABLISHED
64. radDAD3D.tmp 2264 TCP localhost 49514 194.109.206.212 443 ESTABLISHED
65. radDAD3D.tmp 2264 TCP localhost 49515 154.35.32.5 443 SYN_SENT
66. radDAD3D.tmp 2264 TCP localhost 49516 78.129.150.54 9001 ESTABLISHED
67. radDAD3D.tmp 2264 TCP localhost 49517 40.89.186.165 9001 ESTABLISHED
68. radDAD3D.tmp 2264 TCP localhost 49518 138.201.83.171 9001 ESTABLISHED
69.  
70. proc
71. --------------
72. "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\Подробности заказа ПАО «Авиакомпания „ЮТэйр“».js"
73. "C:\Windows\System32\cmd.exe" /c %temp%\radDAD3D.tmp
74. %temp%\radDAD3D.tmp
75. C:\Windows\system32\vssadmin.exe List Shadows
76. "C:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
77.  
78. persist
79. --------------
80. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 19.03.2019 14:19
81. Client Server Runtime Subsystem Total Commander 32bit->64bit helper tool Ghisler Software GmbH
82. c:\programdata\windows\csrss.exe 21.03.2019 1:10
83.  
84. drop
85. --------------
86. %temp%\6893A5D897\cached-certs
87. %temp%\6893A5D897\cached-microdesc-consensus
88. %temp%\6893A5D897\lock
89. %temp%\6893A5D897\state
90.  
91. %temp%\radDAD3D.tmp
92.  
93. C:\ProgramData\Windows\csrss.exe
94.  
95. # # #
96. https://www.virustotal.com/gui/file/7955a4fca5ec7faa32bc703432840a9cfed5a8a48bccc511eccec2f587ca491e/details
97. https://www.virustotal.com/gui/file/efa3dd81eb0506bccd52bfda687f7131f299e0ec3c125f98cbd523a2945fe65c/details
98. https://www.virustotal.com/gui/file/01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38/details
99. https://analyze.intezer.com/#/analyses/ba0e854a-9108-46dc-bfc0-b7b3fbfff2c5
100.  
101. VR
102.  
103. @