SHARE
TWEET

#smokeloader_210120

VRad Jan 21st, 2020 (edited) 512 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #smokeloader #WSH
  2.  
  3. C2 indetified by TomasP @0xE9FBFFFFFF
  4.  
  5. https://pastebin.com/QpG70u8T
  6.  
  7. previous_contact:
  8. https://pastebin.com/BJzcXqkK
  9. https://pastebin.com/kBW7nkZ5
  10. https://pastebin.com/Z7zq0YkW
  11. https://pastebin.com/b8PkhMyN
  12. https://pastebin.com/hkskwKvc
  13. https://pastebin.com/JmthzrL4
  14. https://pastebin.com/1scwT0f8
  15. https://pastebin.com/MP3kCSSh
  16.  
  17. FAQ:
  18. https://radetskiy.wordpress.com/2018/10/19/ioc_smokeloader_111018/
  19. https://research.checkpoint.com/2019-resurgence-of-smokeloader/
  20.  
  21. attack_vector
  22. --------------
  23. email attach .zipx > js > WSH > GET > exe > AppData\Roaming\Microsoft\Windows\Templates\*.dat
  24.  
  25. email_headers
  26. --------------
  27. n/a
  28.  
  29. files
  30. --------------
  31. SHA-256     57dde179404d483ad7c325af4500de2dfd35e7643062f2ae33d7a1cd958be2e8
  32. File name   Договор и рахунок СП ТОВ Радмиртех.zipx        [Zip archive data, at least v2.0 to extract]
  33. File size   32.40 KB (33174 bytes)
  34.  
  35. SHA-256     03dcf4f7d4cde69c4775d2ee38e53818f79bd4c55ed4758dab3963af0e891e9c
  36. File name   рах_№5820.xlsx             [Microsoft Excel 2007+]
  37. File size   12.81 KB (13114 bytes)
  38.  
  39. SHA-256     64f449cf659d53d01f56c6ccc883486c66a6b113d261635a2462a584bc170ba9
  40. File name   Договор с СП ТОВ Радмиртех.js     [ASCII text, with very long lines]
  41. File size   45.16 KB (46243 bytes)
  42.  
  43. SHA-256     4fd6a01b750bd999b55a1f87d8ff383de63e1cd1cf98f54587480f7478af46d1
  44. File name   ioclase.exe             [PE32 executable (GUI) Intel 80386, for MS Windows]
  45. File size   229.50 KB (235008 bytes)
  46.  
  47. SHA-256     8d16d5caad71aaaaa1479f8477d2928b66581c79932a49a21edf93db2803ab9c
  48. File name   6B79.tmp (ntdll.dll)            [Microsoft Visual C++ vx.x DLL]
  49. File size   1.23 MB (1292192 bytes)
  50.  
  51. activity
  52. **************
  53. PL_SCR      interpremier1998.ru/get/homec/ioclase.exe              
  54.  
  55. C2  (upd!)  homereservecinema.ru/   - down     
  56.             kinokritikboss.ru/      - 185.132.53.39
  57.  
  58.  
  59.  
  60. Smokeload config from hxxtp://kinokritikboss.ru
  61. https://pastebin.com/bYFkacbg
  62.  
  63. *Detects Sandboxie through the presence of a library
  64. *Checks the presence of disk drives in the registry, possibly for anti-virtualization
  65.  
  66. netwrk
  67. --------------
  68. [http]
  69. 185.132.53.39   interpremier1998.ru GET /get/homec/ioclase.exe HTTP/1.1     Mozilla/4.0
  70.  
  71. comp
  72. --------------
  73. wscript.exe 2060    TCP localhost   185.132.53.39   80  ESTABLISHED
  74.  
  75. proc
  76. --------------
  77. "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\Договор с СП ТОВ Радмиртех.js"
  78. C:\Users\operator\AppData\Roaming\Microsoft\Windows\Templates\337227.dat
  79.  
  80. persist
  81. --------------
  82. n/a - payload crash
  83.  
  84. drop
  85. --------------
  86. C:\tmp\Temporary Internet Files\Content.IE5\R34LXPLS\ioclase[1].exe
  87. C:\Users\operator\AppData\Roaming\Microsoft\Windows\Templates\337227.dat
  88. C:\tmp\6B79.tmp (ntdll.dll)
  89.  
  90. # # #
  91. https://www.virustotal.com/gui/file/57dde179404d483ad7c325af4500de2dfd35e7643062f2ae33d7a1cd958be2e8/details
  92. https://www.virustotal.com/gui/file/03dcf4f7d4cde69c4775d2ee38e53818f79bd4c55ed4758dab3963af0e891e9c/details
  93. https://www.virustotal.com/gui/file/64f449cf659d53d01f56c6ccc883486c66a6b113d261635a2462a584bc170ba9/details
  94. https://www.virustotal.com/gui/file/4fd6a01b750bd999b55a1f87d8ff383de63e1cd1cf98f54587480f7478af46d1/details
  95.  
  96. https://analyze.intezer.com/#/analyses/7da01a78-9bf7-4636-ad3c-8d225603bcb2
  97. https://analyze.intezer.com/#/analyses/99729c71-4144-40c0-a020-2ebad89f08c5
  98.  
  99. https://www.virustotal.com/gui/file/8d16d5caad71aaaaa1479f8477d2928b66581c79932a49a21edf93db2803ab9c/details
  100.  
  101. VR
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top