SHARE
TWEET

#troldesh_190919

VRad Sep 19th, 2019 (edited) 205 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #shade #troldesh #WSH #URL #indexZIP
  2.  
  3. https://pastebin.com/efcuw6WX
  4.  
  5. previous contact:
  6. 19/03/19    https://pastebin.com/J1Mx2CaB
  7. 25/02/18    https://pastebin.com/vMUxTH8C
  8. 20/02/18        https://pastebin.com/4XDjjWZh
  9. 28/12/18        https://pastebin.com/E3isAsmV
  10. 26/12/18        https://pastebin.com/kx8Y0XzR
  11. 25/12/18        https://pastebin.com/xNRiz3QW
  12. 24/12/18        https://pastebin.com/mMMZe73m
  13.  
  14. FAQ:
  15. https://radetskiy.wordpress.com/2019/01/31/shade_ransom/
  16. https://radetskiy.wordpress.com/2018/09/12/ioc_troldesh_ransom_120918/
  17.  
  18. attack_vector
  19. --------------
  20. email URL > GET index.html (ZIP) > JS > GET jpg (exe) > encrypt
  21.  
  22. email_headers
  23. --------------
  24. n/a
  25.  
  26. files
  27. --------------
  28. SHA-256     6aacde9d66b03499510d36c4bdaa065f4ab097b6b0e713743a69795fdaf064f8
  29. File name   index.html (doc.zip)        [Zip archive data, at least v2.0 to extract]
  30. File size   12.08 KB (12372 bytes)
  31.  
  32. SHA-256     4b96d19f03917fc902de321768e8107aaa0827708b54b622e8c7b51c07d04824
  33. File name   Информация о заказе.xls.js [ASCII C program text, with very long lines, with CRLF, LF line terminators]
  34. File size   19.54 KB (20014 bytes)
  35.  
  36. SHA-256     46ac406d59e23f24ffd14a8200934dd308f9c71bdffe0cd035e607c8722edb47
  37. File name   2c.jpg              [PE32 executable for MS Windows (GUI) Intel 80386 32-bit ]
  38. File size   1.96 MB (2055680 bytes)
  39.  
  40. activity
  41. **************
  42. PL_SCR
  43. zip
  44. http://van-lummel.nl/wp-admin/css/colors/blue/xls/
  45. http://ideas-to-go.de/wp-content/themes/spacious/js/doc/               
  46.  
  47. exe
  48. http://jdcontractingomaha.com/wp-content/blogs.dir/2c.jpg
  49. http://valerieheslop.co.uk/templates/beez_20/fonts/2c.jpg
  50.  
  51. C2     
  52.  
  53. netwrk
  54. --------------
  55. [ssl]
  56. 194.109.206.212     rwti2mg.com             Client Hello   
  57. 131.188.40.189      owfuyihrdgwbywasar7ndqhm.com        Client Hello   
  58. 51.68.205.181       fviiio37lfy.com             Client Hello   
  59. 5.79.68.161     5ohvar7b3n64vhbi2i6zs43m.com        Client Hello   
  60.  
  61.  
  62. [http]
  63. 132.148.98.116  jdcontractingomaha.com      GET /wp-content/blogs.dir/2c.jpg    HTTP/1.1    Mozilla/4.0
  64. [!This program cannot be run in DOS mode]
  65.  
  66. 66.171.248.178  ipv4bot.whatismyipaddress.com   GET /                   HTTP/1.1    Mozilla/5.0
  67.  
  68. comp
  69. --------------
  70. wscript.exe 1652    TCP 132.148.98.116  80  ESTABLISHED
  71. rad01567.tmp    2792    TCP 131.188.40.189  443 ESTABLISHED
  72. rad01567.tmp    2792    TCP 128.31.0.39 9101    ESTABLISHED
  73. rad01567.tmp    2792    TCP 5.79.68.161 443 ESTABLISHED
  74. rad01567.tmp    2792    TCP 51.68.205.181   443 ESTABLISHED
  75. rad01567.tmp    2792    TCP 212.47.236.86   9001    ESTABLISHED
  76.  
  77.  
  78. proc
  79. --------------
  80. "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\Информация о заказе.xls.js"
  81. "C:\Windows\System32\cmd.exe" /c C:\tmp\rad01567.tmp
  82. C:\tmp\rad01567.tmp
  83. C:\Windows\system32\vssadmin.exe List Shadows
  84. "C:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
  85. C:\Windows\SysWOW64\cmd.exe
  86. C:\Windows\SysWOW64\chcp.com
  87.  
  88. persist
  89. --------------
  90. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run              19.09.2019 16:09   
  91. Client Server Runtime Subsystem Remotely Imprvement Vases   Sonic Foundry  
  92. c:\programdata\windows\csrss.exe    18.09.2019 3:43
  93.  
  94. drop
  95. --------------
  96. C:\tmp\Temporary Internet Files\Content.IE5\RSS 4UEVC\2c[1].jpg
  97. C:\tmp\rad01567.tmp
  98. C:\tmp\6893A5D897\cached-certs
  99. C:\tmp\6893A5D897\cached-microdesc-consensus
  100. C:\tmp\6893A5D897\cached-microdescs.new
  101. C:\tmp\6893A5D897\lock
  102. C:\tmp\6893A5D897\state
  103. C:\ProgramData\Windows\csrss.exe
  104.  
  105. # # #
  106. Вашu файлы были зaшuфрoвaны.
  107. Чmoбы рaсшuфрoвать uх, Вaм нeoбхoдимo оmnравuть код:
  108. 85F93484188BBACD2983|0
  109. нa элекmpoнный адpес pilotpilot088@gmail.com .
  110. Далее вы noлyчume вcе необхoдимыe инстpуkции.
  111.  
  112. crypted000007
  113.  
  114. # # #
  115. https://www.virustotal.com/gui/file/6aacde9d66b03499510d36c4bdaa065f4ab097b6b0e713743a69795fdaf064f8/details
  116. https://www.virustotal.com/gui/file/4b96d19f03917fc902de321768e8107aaa0827708b54b622e8c7b51c07d04824/details
  117. https://www.virustotal.com/gui/file/46ac406d59e23f24ffd14a8200934dd308f9c71bdffe0cd035e607c8722edb47/details
  118. https://analyze.intezer.com/#/analyses/5aa9c535-36a1-4772-8926-6a59bfba6ad9
  119.  
  120. VR
  121.  
  122. @
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top