API tools faq
paste
Advertisement
VRad

#smokeloader_091123

VRad
Nov 9th, 2023 (edited)
398
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.46 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #smokeloader #zip #7z #polyglot #EXE
  2.  
  3. https://pastebin.com/UfW73LSg
  4.  
  5. previous_contact:
  6. https://pastebin.com/e46KzBWE
  7. https://pastebin.com/xEwN5JPc
  8. https://pastebin.com/GMwv38g4
  9. https://pastebin.com/DgFvarG0
  10. https://pastebin.com/AayUSaXq
  11. ...
  12.  
  13. FAQ:
  14. https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader
  15. https://radetskiy.wordpress.com/2018/10/19/ioc_smokeloader_111018/
  16.  
  17. attack_vector
  18. --------------
  19. email attach .zip (polyglot) > .7z > .exe > C2
  20.  
  21. # # # # # # # #
  22. email_headers
  23. # # # # # # # #
  24. Date: Thu, 09 Nov 2023 14:23:10 +0200
  25. Subject: Fw[2]: Акт звірки. та рахунок
  26. From: Артем Жукович <artem_arma@ukr.net>
  27. Received: from frv196.fwdcdn.com ([212.42.77.196])
  28. Message-Id: <1699532580.0690892000.rg8wfvhn@frv50.fwdcdn.com>
  29. X-Mailer: mail.ukr.net 5.0
  30.  
  31. # # # # # # # #
  32. files
  33. # # # # # # # #
  34. SHA-256 4606430cab74535328d1378cc2a8f82531290dc70dd08b49f08fc50cbe115a7e
  35. File name акт_списання_Б-00003564_вiд_08.11.23 (1).zip [Zip archive data, at least v2.0, !polyglot]
  36. File size 149.50 KB (153090 bytes)
  37.  
  38. SHA-256 6175d5231849905e3f35015bc80fe72901018be6d16ca516c5de0477ad6ed7e2
  39. File name акт списания та .рахунок [7-zip archive data, version 0.3]
  40. File size 148.92 KB (152497 bytes)
  41.  
  42. SHA-256 6fe8c9bfed9abde0c5ccf98f9307da5e24eb9601788274593b3e30b1fbe7f53a
  43. File name акт_списання_Б-00003564_вiд_07.11.23.XLS.exe [ Win32 Executable MS Visual C++ (generic) ]
  44. File size 316.50 KB (324096 bytes)
  45.  
  46. SHA-256 9f1dcbc35c350d6027f98be0f5c8b43b42ca52b7604459c0c42be3aa88913d47
  47. File name акт списання №Б-00003564 від 30.10.23.xls [ null bytes ]
  48. File size 8.00 KB (8192 bytes)
  49.  
  50. # # # # # # # #
  51. activity
  52. # # # # # # # #
  53.  
  54. PL_SCR email_attach
  55.  
  56. C2
  57.  
  58. againandagaingmorder { .ru/index.php
  59. colbasaibliny { .ru/index.php
  60. cafewithcraftbeer { .ru/index.php
  61. mymozhemesche { .ru/index.php
  62. antidomen { .by/index.php
  63. foodplacecafe { .by/index.php
  64. pozvonimnepozvoni { .ru/index.php
  65. ximpromooo { .ru/index.php
  66. narkotikizlo { .ru/index.php
  67. yavashakrysha { .ru/index.php
  68. etovamnepomozhet { .ru/index.php
  69. myvasocheunlyubim { .ru/index.php
  70. spasibozavsedruziya { .ru/index.php
  71. vymnenravites { .by/index.php
  72. propertyofiranmy.ir/index.php
  73. sportlotovukraine { .ru/index.php
  74. vseochenxorosho { .ru/index.php
  75. nekuritebambuk { .ru/index.php
  76.  
  77.  
  78. netwrk
  79. --------------
  80. 193.106.175.11 againandagaingmorder{ .ru 80 HTTP POST /index.php HTTP/1.1 (application/x-www-form-urlencoded) Mozilla/5.0
  81. 195.123.219.57 foodplacecafe{ .by 80 HTTP POST /index.php HTTP/1.1 (application/x-www-form-urlencoded) Mozilla/5.0
  82. 195.123.219.57 spasibozavsedruziya{ .ru 80 HTTP POST /index.php HTTP/1.1 (application/x-www-form-urlencoded) Mozilla/5.0
  83. 193.106.175.11 nekuritebambuk{ .ru 80 HTTP POST /index.php HTTP/1.1 (application/x-www-form-urlencoded) Mozilla/5.0
  84.  
  85. comp
  86. --------------
  87. акт_списання_Б-00003564_вiд_07.11.23.XLS.exe 193.106.175.11 80 ESTABLISHED
  88. акт_списання_Б-00003564_вiд_07.11.23.XLS.exe 195.123.219.57 80 ESTABLISHED
  89.  
  90. proc
  91. --------------
  92. C:\Users\operator\Desktop\акт_списання_Б-00003564_вiд_07.11.23.XLS.exe
  93.  
  94. {another context}
  95.  
  96. C:\Windows\system32\taskeng.exe {2E377A9D-6F27-4851-8DA3-7F8987837E69} S-1-5-21-2085049433-1067986815-1244098655-1000:AHLBRYJO\operator:Interactive:[1]
  97. C:\Users\operator\AppData\Roaming\baaubru
  98.  
  99.  
  100. persist
  101. --------------
  102. \Firefox Default Browser Agent B533C761E196FE86 C:\Users\operator\AppData\Roaming\iejtdvv [task]
  103.  
  104. drop
  105. --------------
  106. акт списания та .рахунок
  107. акт_списання_Б-00003564_вiд_07.11.23.XLS.exe
  108. Рахунок_Б-00003564_вiд_07.11.23.XLS.exe
  109.  
  110. # # # # # # # #
  111. additional info
  112. # # # # # # # #
  113. n/a
  114.  
  115. # # # # # # # #
  116. VT & Intezer
  117. # # # # # # # #
  118. https://www.virustotal.com/gui/file/4606430cab74535328d1378cc2a8f82531290dc70dd08b49f08fc50cbe115a7e/details
  119. https://www.virustotal.com/gui/file/6175d5231849905e3f35015bc80fe72901018be6d16ca516c5de0477ad6ed7e2/details
  120. https://www.virustotal.com/gui/file/6fe8c9bfed9abde0c5ccf98f9307da5e24eb9601788274593b3e30b1fbe7f53a/details
  121. https://analyze.intezer.com/analyses/c1cd6523-168b-4acb-a5b6-345ad3543abc/dynamic-ttps
  122. https://www.virustotal.com/gui/file/9f1dcbc35c350d6027f98be0f5c8b43b42ca52b7604459c0c42be3aa88913d47/details
  123.  
  124. VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!