Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #smokeloader #LZH #WSH
- ! analysis is still in progress ...
- https://pastebin.com/kBW7nkZ5
- previous_contact:
- https://pastebin.com/Z7zq0YkW
- https://pastebin.com/b8PkhMyN
- https://pastebin.com/hkskwKvc
- https://pastebin.com/JmthzrL4
- https://pastebin.com/1scwT0f8
- https://pastebin.com/MP3kCSSh
- FAQ:
- https://radetskiy.wordpress.com/2018/10/19/ioc_smokeloader_111018/
- https://research.checkpoint.com/2019-resurgence-of-smokeloader/
- attack_vector
- --------------
- email attach .ZIP > .LZH > JS > GET 1 URL > AppData\Roaming\Microsoft\Windows\Templates\??????.exe
- email_headers
- --------------
- Received: from ares-s.com.ua (ares-s.com.ua [37.57.179.45])
- Received: from [127.0.0.1] (unknown [176.111.109.155])
- by ares-s.com.ua (postfix) with esmtpa id 692fd5c02b9;
- wed, 4 sep 2019 06:14:48 +0300 (eest)
- Reply-To: ni@ares-s.com.ua
- Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
- Subject: Fw: до оплати
- From: ni@ares-s.com.ua
- Date: Wed, 4 Sep 2019 06:14:53 +0300
- Message-Id: <D8112767-FADA-1EA0-3F13-71053690676C@ares-s.com.ua>
- To: user00@victim1, user00@victim0, user00@victim2, user00@victim3, user00@victim4
- X-Mailer: Apple Mail (2.2104)
- files
- --------------
- SHA-256 5bea2778c9d9ac94d4a294dccb3ce64c1218bc0a370e26fc65f0524c4586777f
- File name накл. та рахунки до оплати.zip [Zip archive data, at least v2.0 to extract]
- File size 9.44 KB (9670 bytes)
- SHA-256 636912382d3719a7cb0b734414ceccca868e60a30cf08b65da3ec54b26cf219c
- File name Счета до оплати.lzh [LHa (2.x)/LHark archive data [lh7] - header level 0]
- File size 6 KB (6145 bytes)
- SHA-256 96fb6c8baaada5a80871c2d01dc0f326ae797f895ca9cec42a5523c6e4720971
- File name 1.js [ASCII text, with very long lines, with CRLF line terminators]
- File size 11.44 KB (11719 bytes)
- SHA-256 bc09dca049278ba99b8e8faef34712b4f61edd528a1ffd02ad63ec8533ddf22e
- File name mstop.exe [PE32 executable for MS Windows (GUI) Intel 80386 32-bit]
- File size 523 KB (535552 bytes)
- SHA-256 8d16d5caad71aaaaa1479f8477d2928b66581c79932a49a21edf93db2803ab9c
- File name 6B79.tmp (ntdll.dll) _clean_MS_DLL [PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit]
- File size 1.23 MB (1292192 bytes)
- activity
- **************
- PL_SCR
- http://ukr1{.} net/poperclip/mstop.exe
- ukr1.net/poperclip/mstop.exe
- C2 http://magazinzapchasti{.} ru/ - thnx to @James_inthe_box
- netwrk
- --------------
- [http]
- 47.90.211.153 ukr1.net GET /poperclip/mstop.exe HTTP/1.1 Mozilla/4.0 [L.!This program cannot be run in DOS mode]
- comp
- --------------
- wscript.exe 1532 TCP localhost 47.90.211.153 80 ESTABLISHED
- 595963.exe 2152 TCP 0.0.0.0 25 0.0.0.0 0 LISTENING
- proc
- --------------
- C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\Рахунок 164 от 02.09.2019р..js
- C:\Users\operator\AppData\Roaming\Microsoft\Windows\Templates\595963.exe
- persist
- --------------
- n/a
- drop
- --------------
- C:\tmp\Temporary Internet Files\Content.IE5\3TXGU80E\mstop[1].exe
- C:\Users\operator\AppData\Roaming\Microsoft\Windows\Templates\595963.exe
- C:\tmp\6B79.tmp
- # # #
- https://www.virustotal.com/gui/file/5bea2778c9d9ac94d4a294dccb3ce64c1218bc0a370e26fc65f0524c4586777f/details
- https://www.virustotal.com/gui/file/636912382d3719a7cb0b734414ceccca868e60a30cf08b65da3ec54b26cf219c/details
- https://www.virustotal.com/gui/file/96fb6c8baaada5a80871c2d01dc0f326ae797f895ca9cec42a5523c6e4720971/details
- https://www.virustotal.com/gui/file/bc09dca049278ba99b8e8faef34712b4f61edd528a1ffd02ad63ec8533ddf22e/details
- https://www.virustotal.com/gui/file/8d16d5caad71aaaaa1479f8477d2928b66581c79932a49a21edf93db2803ab9c/details
- https://analyze.intezer.com/#/analyses/532bdfc6-675c-46c1-972e-d60499991c08
- https://analyze.intezer.com/#/analyses/31669038-4ac1-4aad-b3d9-0011e03a3d56
- VR
- @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement