SHARE
TWEET

#troldesh_190319

VRad Mar 21st, 2019 (edited) 199 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #shade #troldesh #WSH #passwd_RAR
  2.  
  3. https://pastebin.com/J1Mx2CaB
  4.  
  5. previous contact:
  6. 25/02/18    https://pastebin.com/vMUxTH8C
  7. 20/02/18    https://pastebin.com/4XDjjWZh
  8. 28/12/18    https://pastebin.com/E3isAsmV
  9. 26/12/18        https://pastebin.com/kx8Y0XzR
  10. 25/12/18        https://pastebin.com/xNRiz3QW
  11. 24/12/18        https://pastebin.com/mMMZe73m
  12.  
  13. FAQ:
  14. https://radetskiy.wordpress.com/2019/01/31/shade_ransom/
  15. https://radetskiy.wordpress.com/2018/09/12/ioc_troldesh_ransom_120918/
  16.  
  17. attack_vector
  18. --------------
  19. email attach (RAR) > pass > JS > WSH > GET .mpwq > %temp%\*.tmp
  20.  
  21. email_headers
  22. --------------
  23. Received: from hr3740149012.reseller.mis.ovh.net (mail.kesako.net [213.32.30.206])
  24.     by srv8.victim0.com for <user00@org88.victim0.com>; (envelope-from rachel@uzino.com)
  25. Received: from COMPUTER (unknown [37.235.236.145]) by hr3740149012.reseller.mis.ovh.net (Postfix)
  26. From: Некрасов <rachel@uzino.com>
  27. Reply-To: Некрасов <rachel@uzino.com>
  28. To: user00@org88.victim0.com
  29. Subject: информация о заказе
  30. Date: Tue, 19 Mar 2019 16:14:47 +0200 (EET)
  31.  
  32. files
  33. --------------
  34. SHA-256     7955a4fca5ec7faa32bc703432840a9cfed5a8a48bccc511eccec2f587ca491e
  35. File name   ut_air.rar                      [RAR archive data, v6,]
  36. File size   2.59 KB (2652 bytes)
  37.  
  38. SHA-256     efa3dd81eb0506bccd52bfda687f7131f299e0ec3c125f98cbd523a2945fe65c
  39. File name   Подробности заказа ПАО «Авиакомпания „ЮТэйр“».js [ASCII text]
  40. File size   4.55 KB (4662 bytes)
  41.  
  42. SHA-256     01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38
  43. File name   gr.mpwq                         [PE32 executable (GUI) Intel 80386, for MS Windows]
  44. File size   1.12 MB (1175304 bytes)
  45.  
  46. activity
  47. **************
  48. PL_SRC:
  49. http://salezietes{.} lt/webanalyze/gr.mpwq
  50.  
  51. netwrk
  52. --------------
  53. http.request.method == GET
  54. 79.98.24.20     salezietes{.} lt    GET /webanalyze/gr.mpwq HTTP/1.1    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1;
  55.  
  56. ssl
  57. 194.109.206.212 www.yvv4v5kkhktzygyhj4i6l3sc.com        Client Hello   
  58.  
  59. comp
  60. --------------
  61. wscript.exe 1672    TCP localhost   49511   79.98.24.20 80  ESTABLISHED
  62. radDAD3D.tmp    2264    TCP localhost   49512   localhost   49513   ESTABLISHED
  63. radDAD3D.tmp    2264    TCP localhost   49513   localhost   49512   ESTABLISHED
  64. radDAD3D.tmp    2264    TCP localhost   49514   194.109.206.212 443 ESTABLISHED
  65. radDAD3D.tmp    2264    TCP localhost   49515   154.35.32.5 443 SYN_SENT       
  66. radDAD3D.tmp    2264    TCP localhost   49516   78.129.150.54   9001    ESTABLISHED
  67. radDAD3D.tmp    2264    TCP localhost   49517   40.89.186.165   9001    ESTABLISHED
  68. radDAD3D.tmp    2264    TCP localhost   49518   138.201.83.171  9001    ESTABLISHED
  69.  
  70. proc
  71. --------------
  72. "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\Подробности заказа ПАО «Авиакомпания „ЮТэйр“».js"
  73. "C:\Windows\System32\cmd.exe" /c %temp%\radDAD3D.tmp
  74. %temp%\radDAD3D.tmp
  75. C:\Windows\system32\vssadmin.exe List Shadows
  76. "C:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
  77.  
  78. persist
  79. --------------
  80. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run              19.03.2019 14:19   
  81. Client Server Runtime Subsystem Total Commander 32bit->64bit helper tool    Ghisler Software GmbH  
  82. c:\programdata\windows\csrss.exe    21.03.2019 1:10
  83.  
  84. drop
  85. --------------
  86. %temp%\6893A5D897\cached-certs
  87. %temp%\6893A5D897\cached-microdesc-consensus
  88. %temp%\6893A5D897\lock
  89. %temp%\6893A5D897\state
  90.  
  91. %temp%\radDAD3D.tmp
  92.  
  93. C:\ProgramData\Windows\csrss.exe
  94.  
  95. # # #
  96. https://www.virustotal.com/gui/file/7955a4fca5ec7faa32bc703432840a9cfed5a8a48bccc511eccec2f587ca491e/details
  97. https://www.virustotal.com/gui/file/efa3dd81eb0506bccd52bfda687f7131f299e0ec3c125f98cbd523a2945fe65c/details
  98. https://www.virustotal.com/gui/file/01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38/details
  99. https://analyze.intezer.com/#/analyses/ba0e854a-9108-46dc-bfc0-b7b3fbfff2c5
  100.  
  101. VR
  102.  
  103. @
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top