#smokeloader_021023

#IOC #OptiData #VR #smokeloader #RAR #polyglot #SFX #bat #EXE

https://pastebin.com/e46KzBWE

previous_contact:
https://pastebin.com/xEwN5JPc
https://pastebin.com/GMwv38g4
https://pastebin.com/DgFvarG0
https://pastebin.com/AayUSaXq
https://pastebin.com/RDVXCe0J
https://pastebin.com/QpG70u8T
...

FAQ:
https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader
https://radetskiy.wordpress.com/2018/10/19/ioc_smokeloader_111018/

attack_vector
--------------
email attach .RAR (polyglot) > .doc (ZIP) > .jpg [smokeloader] + .EXE (SFX)> .bat > run smokeloader > C2

# # # # # # # #
email_headers
# # # # # # # #
Date: Mon, 2 Oct 2023 04:22:26 +0300
Received: from mail.domtele.com (85.159.1.130)
Reply-To: <support@ukr.net>
Return-Path: mtb@rivne.com
From: Технічний відділ <mtb@rivne.com>
Subject: Fw: Рахунок, акт звiки
X-Mailer: Apple Mail (2.2104)
MIME-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
Message-ID: <4797EB44-D0AE-6B5E-D7BD-E84A419D087B@rivne.com>

&

Received: from ds163.mirohost.net (89.184.68.199)
Received: from [31.43.159.185] (port=27258 helo=[127.0.0.1])
	by ds163.mirohost.net with esmtpa (Exim 4.95)
	(envelope-from <nataliya.don@pp-galaktika.com.ua>)
Reply-To: <sokal.dnz_7@meta.ua>
From: Отдел контроля <nataliya.don@pp-galaktika.com.ua>
Subject: Fw: Рахунок, акт звiки
Date: Mon, 2 Oct 2023 07:54:13 +0300
Message-ID: <j1t9lbu-p2rzsa-8C@pp-galaktika.com.ua>
Return-Path: nataliya.don@pp-galaktika.com.ua

# # # # # # # #
files
# # # # # # # #
SHA-256		    31be756b4315098a94855a8b236bcf6e55d97acbc5cebe75d1a668dff45bb82b
File name	    рахунок_фактура_СФ-0001871_та_акт_звiрки_вiд_29_09_2023р.zip      [polyglot]
File size	    700.03 KB (716834 bytes)

SHA-256		    3ac06154dea00c6f17fba1c52956affdda59eba036b3d5d077c37c93fe277a26
File name	    Рахунок_фактура_СФ-0001871.XLS      [clean if extracted in UNIX]
File size	    19.00 KB (19456 bytes)

SHA-256		    90ed5f6719265e25c3483b11704e3158622128816def1f7515988b7de5f5f1de
File name	    спiсок.doc                                   [ZIP]
File size	    695.92 KB (712623 bytes)

SHA-256		    e5314f7a9969af109606c84567ecf951570dd1495c400a1e5bf215fd5cdb3fd2
File name	    Pax_9312_0580_6944_3255_29.09.2023p.jpg     [EXE]
File size	    192.00 KB (196608 bytes)

SHA-256		    8b4b9b473f73b70c55d21d33149ced0c234fff919d15ff73cca22b93818a785c
File name	    акт_звiрки_вiд_29_09_2023р_за_рах_UA493077700000026002711166191.JPEG.exe    [SFX]
File size       683.98 KB (700393 bytes)

SHA-256		    9b50c4624bd60aea94b85afeeac6d61c485bee42fdeeffedc5d9617f4650c51c
File name	    Payment_9312_0580_6944_3255.bat     [BAT commad _ start EXE]
File size       56 B (56 bytes)

SHA-256		    41fe1fea884daee189076a5bb5b288852ed5b72d3b89576b740be6baceaa69c5
File name	    akt.jpeg                            [JPEG _ clean _decoy]
File size       486.37 KB (498045 bytes)

# # # # # # # #
activity
# # # # # # # #

PL_SCR          email_attach

C2

dublebomber {.ru/
yavasponimayu {.ru/
nomnetozhedenyuzhkanuzhna {.ru/
prostosmeritesya {.ru/
ipoluchayteudovolstvie {.ru/
super777bomba {.ru/
specnaznachenie {.ru/
zakrylki809 {.ru/
propertyminsk {.by/
iloveua {.ir/
moyabelorussiya {.by/
tvoyaradostetoya {.ru/
zasadacafe {.by/
restmantra {.by/
kozachok777 {.ru/
propertyiran {.ir/
sakentoshi {.ru/
popuasyfromua {.ru/
diplombar {.by/

netwrk
--------------
85.143.172.45	dublebomber {.ru	    80	HTTP	POST / HTTP/1.1  (application/x-www-form-urlencoded)	Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
194.58.112.174	specnaznachenie{ .ru	80	HTTP	POST / HTTP/1.1  (application/x-www-form-urlencoded)	Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
85.143.172.45	sakentoshi{ .ru	        80	HTTP	POST / HTTP/1.1  (application/x-www-form-urlencoded)	Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
194.58.112.174	popuasyfromua{ .ru	    80	HTTP	POST / HTTP/1.1  (application/x-www-form-urlencoded)	Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko

comp
--------------
n/a

proc
--------------
C:\Users\operator\Desktop\акт_звiрки_вiд_29_09_2023р_за_рах_UA493077700000026002711166191.JPEG.exe
	C:\Windows\SysWOW64\cmd.exe /c ""C:\Users\operator\Desktop\Payment_9312_0580_6944_3255.bat" "
		C:\Users\operator\Desktop\Pax_9312_0580_6944_3255_29.09.2023p.jpg

persist
--------------
n/a

drop
--------------
спiсок.doc
Pax_9312_0580_6944_3255_29.09.2023p.jpg
акт_звiрки_вiд_29_09_2023р_за_рах_UA493077700000026002711166191.JPEG.exe
Payment_9312_0580_6944_3255.bat
akt.jpeg

# # # # # # # #
additional info
# # # # # # # #
Payment_9312_0580_6944_3255.bat
-------------------------------
@echo off
start Pax_9312_0580_6944_3255_29.09.2023p.jpg

# # # # # # # #
VT & Intezer
# # # # # # # #
https://www.virustotal.com/gui/file/31be756b4315098a94855a8b236bcf6e55d97acbc5cebe75d1a668dff45bb82b/details
https://www.virustotal.com/gui/file/3ac06154dea00c6f17fba1c52956affdda59eba036b3d5d077c37c93fe277a26/details
https://www.virustotal.com/gui/file/90ed5f6719265e25c3483b11704e3158622128816def1f7515988b7de5f5f1de/details
https://www.virustotal.com/gui/file/e5314f7a9969af109606c84567ecf951570dd1495c400a1e5bf215fd5cdb3fd2/details
https://www.virustotal.com/gui/file/e5314f7a9969af109606c84567ecf951570dd1495c400a1e5bf215fd5cdb3fd2/details
https://analyze.intezer.com/analyses/dec09107-5121-46c7-ac2b-4fc7e801a904
https://www.virustotal.com/gui/file/8b4b9b473f73b70c55d21d33149ced0c234fff919d15ff73cca22b93818a785c/details
https://www.virustotal.com/gui/file/9b50c4624bd60aea94b85afeeac6d61c485bee42fdeeffedc5d9617f4650c51c/details
https://www.virustotal.com/gui/file/41fe1fea884daee189076a5bb5b288852ed5b72d3b89576b740be6baceaa69c5/details

VR