SHARE
TWEET

#troldesh_261218

VRad Dec 26th, 2018 (edited) 191 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #shade #troldesh #WSH #ZIP
  2.  
  3. https://pastebin.com/kx8Y0XzR
  4.  
  5. previous contact:
  6. 25/12/18        https://pastebin.com/xNRiz3QW
  7. 24/12/18        https://pastebin.com/mMMZe73m
  8. 12/11/18        https://pastebin.com/1y8MpRZq
  9. 14/09/18        https://pastebin.com/q6L376A8
  10. 14/09/18        https://pastebin.com/L8MvAccK
  11. 12/09/18        https://pastebin.com/LNHmd7Un
  12.  
  13. FAQ:
  14. https://radetskiy.wordpress.com/2018/09/12/ioc_troldesh_ransom_120918/
  15. https://secrary.com/ReversingMalware/UnpackingShade/
  16.  
  17. attack_vector
  18. --------------
  19. email attach .ZIP > 2nd .ZIP > JS > WSH > GET 1 URL > %temp%\*.tmp
  20.  
  21. email_headers
  22. --------------
  23. Return-path: <wemalemu@web.de>
  24. Envelope-to: user0@victim1.com
  25. Delivery-date: Wed, 26 Dec 2018 13:54:53 +0200
  26. Received: from mout.web.de ([217.72.192.78]:36673)
  27.     by srv8.victim1.com with esmtp id 1gc7m1-0006xN-8d
  28.     for <user0@victim1.com>; Wed, 26 Dec 2018 13:54:53 +0200
  29. Received: from COMPUTER ([111.164.136.138]) by smtp.web.de (mrweb103
  30.  [213.165.67.124]) with ESMTPSA (Nemesis) id 0LwqJw-1hQlUo1Hqa-016Pky for
  31.  <user0@victim1.com>; Wed, 26 Dec 2018 12:54:51 +0100
  32. From: =?UTF-8?B?0JPQsNC70LrQuNC9?=<wemalemu@web.de>
  33. Reply-To: =?UTF-8?B?0JPQsNC70LrQuNC9?=<wemalemu@web.de>
  34. To: user0@victim1.com
  35. Subject: =?UTF-8?B?0L/QvtC00YDQvtCx0L3QvtGB0YLQuCDQt9Cw0LrQsNC30LA=?=
  36. Content-Type: multipart/mixed; boundary="qbZqvK1nVsXsBMifovvcqsQhshmoGgHx"
  37. Date: Wed, 26 Dec 2018 12:54:51 +0100
  38.  
  39. files
  40. --------------
  41. SHA-256 b79ac38d763012ff7dd67517773be989b7b07500e073ea76a1f76f097fefbda3
  42. File name   info.zip        [Zip archive data, at least v2.0 to extract]
  43. File size   3.29 KB
  44.  
  45. SHA-256 0d04ea36263742ff3e501fd9dcdf2f60b60d6a10262fa05fcc33ec2829cd7759
  46. File name   zakaz.4285.docx.zip [Zip archive data, at least v2.0 to extract]
  47. File size   3.15 KB
  48.  
  49. SHA-256 a6c7c2b620d607165ea4dafb936df998061fde1262e1ff477078a0528e3ea13a
  50. File name   информация о заказе.js
  51. File size   6.41 KB
  52.  
  53. SHA-256 925b389565fcfca729ebdc6f8aef4aa37186d5ac70ced53099321acdc51086d4
  54. File name   sserv.jpg (csrss.exe)   [PE32 executable (GUI) Intel 80386, for MS Windows]
  55. File size   1.02 MB
  56.  
  57. activity
  58. **************
  59.  
  60. pl_src:     h11p:\ bursacatifirmalari{.} net/js/sserv.jpg
  61.  
  62. .crypted000007
  63.  
  64. pilotpilot088@gmail.com
  65.  
  66. netwrk
  67. --------------
  68. ssl
  69. 193.23.244.244  www.fbqzosbkvvxub.com       Client Hello   
  70.  
  71. http
  72. 94.73.151.62        bursacatifirmalari.net  GET /js/sserv.jpg   HTTP/1.1    Mozilla/4.0
  73. 104.16.17.96        whatismyipaddress.com   GET /           HTTP/1.1    Mozilla/5.0
  74. 104.18.35.131       whatsmyip.net       GET /           HTTP/1.1    Mozilla/5.0
  75.  
  76. comp
  77. --------------
  78. wscript.exe 2020    94.73.151.62    80  ESTABLISHED
  79.    
  80. radCA388.tmp    3240    128.31.0.39 9101    ESTABLISHED
  81. radCA388.tmp    3240    193.23.244.244  443 ESTABLISHED
  82. radCA388.tmp    3240    188.138.1.166   9001    ESTABLISHED
  83. radCA388.tmp    3240    163.172.170.52  9001    ESTABLISHED
  84. radCA388.tmp    3240    37.187.1.29 9001    ESTABLISHED
  85. radCA388.tmp    3240    163.172.170.52  9001    ESTABLISHED
  86.  
  87. [System]    0   104.16.17.96    80  TIME_WAIT
  88. [System]    0   104.18.35.131   80  TIME_WAIT
  89. radCA388.tmp    3240    128.31.0.39 9101    ESTABLISHED
  90. radCA388.tmp    3240    193.23.244.244  443 ESTABLISHED
  91. radCA388.tmp    3240    188.138.1.166   9001    ESTABLISHED
  92. radCA388.tmp    3240    163.172.170.52  9001    ESTABLISHED
  93. radCA388.tmp    3240    37.187.1.29 9001    ESTABLISHED
  94.  
  95. proc
  96. --------------
  97. "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\информация о заказе.js"
  98. "C:\Windows\System32\cmd.exe" /c C:\tmp\radCA388.tmp
  99. C:\tmp\radCA388.tmp
  100. C:\Windows\system32\vssadmin.exe List Shadows
  101. "C:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
  102. C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
  103. C:\Windows\SysWOW64\chcp.com
  104.  
  105. persist
  106. --------------
  107. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run              26.12.2018 16:30   
  108. Client Server Runtime Subsystem         c:\programdata\windows\csrss.exe    26.12.2018 13:17
  109.  
  110. drop
  111. --------------
  112. C:\tmp\radCA388.tmp
  113.  
  114. C:\tmp\6893A5D897\cached-certs
  115. C:\tmp\6893A5D897\cached-microdesc-consensus
  116. C:\tmp\6893A5D897\cached-microdescs.new
  117. C:\tmp\6893A5D897\lock
  118. C:\tmp\6893A5D897\state
  119.  
  120. C:\ProgramData\Windows\csrss.exe
  121.  
  122. VR
  123.  
  124. # # #
  125. https://www.virustotal.com/#/file/b79ac38d763012ff7dd67517773be989b7b07500e073ea76a1f76f097fefbda3/details
  126. https://www.virustotal.com/#/file/0d04ea36263742ff3e501fd9dcdf2f60b60d6a10262fa05fcc33ec2829cd7759/details
  127. https://www.virustotal.com/#/file/a6c7c2b620d607165ea4dafb936df998061fde1262e1ff477078a0528e3ea13a/details
  128. https://www.virustotal.com/#/file/925b389565fcfca729ebdc6f8aef4aa37186d5ac70ced53099321acdc51086d4/details
  129. https://analyze.intezer.com/#/analyses/21ae0292-2dcf-4ced-b979-754451242c2d
  130.  
  131. @
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top