SHARE
TWEET

#smokeloader_040919

VRad Sep 4th, 2019 (edited) 284 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #smokeloader #LZH #WSH
  2.  
  3. ! analysis is still in progress ...
  4.  
  5. https://pastebin.com/kBW7nkZ5
  6.  
  7. previous_contact:
  8. https://pastebin.com/Z7zq0YkW
  9. https://pastebin.com/b8PkhMyN
  10. https://pastebin.com/hkskwKvc
  11. https://pastebin.com/JmthzrL4
  12. https://pastebin.com/1scwT0f8
  13. https://pastebin.com/MP3kCSSh
  14.  
  15. FAQ:
  16. https://radetskiy.wordpress.com/2018/10/19/ioc_smokeloader_111018/
  17. https://research.checkpoint.com/2019-resurgence-of-smokeloader/
  18.  
  19. attack_vector
  20. --------------
  21. email attach .ZIP > .LZH > JS > GET 1 URL > AppData\Roaming\Microsoft\Windows\Templates\??????.exe
  22.  
  23. email_headers
  24. --------------
  25. Received: from ares-s.com.ua (ares-s.com.ua [37.57.179.45])
  26. Received: from [127.0.0.1] (unknown [176.111.109.155])
  27.     by ares-s.com.ua (postfix) with esmtpa id 692fd5c02b9;
  28.     wed,  4 sep 2019 06:14:48 +0300 (eest)
  29. Reply-To: ni@ares-s.com.ua
  30. Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
  31. Subject: Fw: до оплати
  32. From: ni@ares-s.com.ua
  33. Date: Wed, 4 Sep 2019 06:14:53 +0300
  34. Message-Id: <D8112767-FADA-1EA0-3F13-71053690676C@ares-s.com.ua>
  35. To: user00@victim1, user00@victim0, user00@victim2, user00@victim3, user00@victim4
  36. X-Mailer: Apple Mail (2.2104)
  37.  
  38. files
  39. --------------
  40. SHA-256     5bea2778c9d9ac94d4a294dccb3ce64c1218bc0a370e26fc65f0524c4586777f
  41. File name   накл. та рахунки до оплати.zip     [Zip archive data, at least v2.0 to extract]
  42. File size   9.44 KB (9670 bytes)
  43.  
  44. SHA-256     636912382d3719a7cb0b734414ceccca868e60a30cf08b65da3ec54b26cf219c
  45. File name   Счета до оплати.lzh            [LHa (2.x)/LHark archive data [lh7] - header level 0]
  46. File size   6 KB (6145 bytes)
  47.  
  48. SHA-256     96fb6c8baaada5a80871c2d01dc0f326ae797f895ca9cec42a5523c6e4720971
  49. File name   1.js                    [ASCII text, with very long lines, with CRLF line terminators]
  50. File size   11.44 KB (11719 bytes)
  51.  
  52. SHA-256     bc09dca049278ba99b8e8faef34712b4f61edd528a1ffd02ad63ec8533ddf22e
  53. File name   mstop.exe               [PE32 executable for MS Windows (GUI) Intel 80386 32-bit]
  54. File size   523 KB (535552 bytes)
  55.  
  56. SHA-256     8d16d5caad71aaaaa1479f8477d2928b66581c79932a49a21edf93db2803ab9c
  57. File name   6B79.tmp (ntdll.dll)    _clean_MS_DLL   [PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit]
  58. File size   1.23 MB (1292192 bytes)
  59.  
  60. activity
  61. **************
  62. PL_SCR     
  63.         http://ukr1{.} net/poperclip/mstop.exe
  64.         ukr1.net/poperclip/mstop.exe
  65.  
  66. C2      http://magazinzapchasti{.} ru/ - thnx to @James_inthe_box      
  67.  
  68. netwrk
  69. --------------
  70.  
  71. [http]
  72. 47.90.211.153       ukr1.net    GET /poperclip/mstop.exe HTTP/1.1   Mozilla/4.0 [L.!This program cannot be run in DOS mode]
  73.  
  74. comp
  75. --------------
  76. wscript.exe 1532    TCP localhost   47.90.211.153   80  ESTABLISHED
  77. 595963.exe  2152    TCP 0.0.0.0 25  0.0.0.0 0       LISTENING                              
  78.  
  79. proc
  80. --------------
  81. C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\Рахунок 164 от 02.09.2019р..js
  82. C:\Users\operator\AppData\Roaming\Microsoft\Windows\Templates\595963.exe
  83.  
  84. persist
  85. --------------
  86. n/a
  87.  
  88. drop
  89. --------------
  90. C:\tmp\Temporary Internet Files\Content.IE5\3TXGU80E\mstop[1].exe
  91. C:\Users\operator\AppData\Roaming\Microsoft\Windows\Templates\595963.exe
  92. C:\tmp\6B79.tmp
  93.  
  94. # # #
  95. https://www.virustotal.com/gui/file/5bea2778c9d9ac94d4a294dccb3ce64c1218bc0a370e26fc65f0524c4586777f/details
  96. https://www.virustotal.com/gui/file/636912382d3719a7cb0b734414ceccca868e60a30cf08b65da3ec54b26cf219c/details
  97. https://www.virustotal.com/gui/file/96fb6c8baaada5a80871c2d01dc0f326ae797f895ca9cec42a5523c6e4720971/details
  98. https://www.virustotal.com/gui/file/bc09dca049278ba99b8e8faef34712b4f61edd528a1ffd02ad63ec8533ddf22e/details
  99. https://www.virustotal.com/gui/file/8d16d5caad71aaaaa1479f8477d2928b66581c79932a49a21edf93db2803ab9c/details
  100.  
  101. https://analyze.intezer.com/#/analyses/532bdfc6-675c-46c1-972e-d60499991c08
  102. https://analyze.intezer.com/#/analyses/31669038-4ac1-4aad-b3d9-0011e03a3d56
  103.  
  104. VR
  105.  
  106. @
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top