SHARE
TWEET

#troldesh_250219

VRad Feb 25th, 2019 (edited) 134 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #shade #troldesh #WSH #ZIP
  2.  
  3. https://pastebin.com/vMUxTH8C
  4.  
  5. previous contact:
  6. 20/02/18    https://pastebin.com/4XDjjWZh
  7. 28/12/18    https://pastebin.com/E3isAsmV
  8. 26/12/18        https://pastebin.com/kx8Y0XzR
  9. 25/12/18        https://pastebin.com/xNRiz3QW
  10. 24/12/18        https://pastebin.com/mMMZe73m
  11.  
  12. FAQ:
  13. https://radetskiy.wordpress.com/2019/01/31/shade_ransom/
  14. https://radetskiy.wordpress.com/2018/09/12/ioc_troldesh_ransom_120918/
  15.  
  16. attack_vector
  17. --------------
  18. email URL > GET .ZIP > JS > WSH > GET .jpg > %temp%\*.tmp
  19.  
  20. email_headers
  21. --------------
  22. Received: from asg.aut.ac.ir (asg525.aut.ac.ir [185.211.88.20])
  23. Fri, 22 Feb 2019 04:56:35 -0800 (PST)
  24. Reply-To: Кудряшов <s_zohoor@aut.ac.ir>
  25. From: Кудряшов <s_zohoor@aut.ac.ir>
  26. To: <user0@victim1.com>
  27. Subject: заказ
  28.  
  29. files
  30. --------------
  31. SHA-256 9165070279d7516c907bb4172b15186fc8ba9e6ec410cfc2050789f4f1c70c18
  32. File name   pik.zip         [Zip archive data, at least v2.0 to extract]
  33. File size   3.49 KB
  34.  
  35. SHA-256 521c58d36bad8de5582f9591bd76b62ff6096743324f4bd4cdad300c31737823
  36. File name   ПАО «Группа Компаний ПИК» подробности заказа.js      [ASCII text, with CRLF]
  37. File size   6.95 KB
  38.  
  39. SHA-256 8c9b5e458aa1d4733ab5f826029721e5ab4b45e3ffff369ae022d4a67fa45267
  40. File name   msg.jpg         [PE32 executable (GUI) Intel 80386, for MS Windows]
  41. File size   1.25 MB
  42.  
  43. activity
  44. **************
  45. PL_SRC:
  46. http://vemaprojects{.} be/templates/theme530/css/msg.jpg
  47.  
  48. netwrk
  49. --------------
  50. http.request.method == GET
  51. 85.255.199.31   vemaprojects{.} be  GET /templates/theme530/css/msg.jpg HTTP/1.1    Mozilla/4.0
  52.  
  53. ssl
  54. 86.59.21.38 toq7utsylx3oz44i6rfjjnk.com Client Hello   
  55. 131.188.40.189  sfe6esldpgtctm24.com        Client Hello   
  56. 163.172.4.100   dbw7deumfy6wxbrqkyg4c.com   Client Hello   
  57.  
  58. comp
  59. --------------
  60. wscript.exe 1496    TCP localhost   49232   85.255.199.31   80  ESTABLISHED
  61.  
  62. rad83EF8.tmp    924 TCP localhost   49233   localhost   49234   ESTABLISHED
  63. rad83EF8.tmp    924 TCP localhost   49234   localhost   49233   ESTABLISHED
  64. rad83EF8.tmp    924 TCP localhost   49235   131.188.40.189  443 ESTABLISHED
  65. rad83EF8.tmp    924 TCP localhost   49236   86.59.21.38 443 ESTABLISHED
  66. rad83EF8.tmp    924 TCP localhost   49237   163.172.4.100   443 ESTABLISHED
  67. rad83EF8.tmp    924 TCP localhost   49238   173.212.226.76  9001    ESTABLISHED
  68. rad83EF8.tmp    924 TCP localhost   49239   193.108.117.59  9001    ESTABLISHED
  69.  
  70. proc
  71. --------------
  72. "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\ПАО «Группа Компаний ПИК» подробности заказа.js"
  73. "C:\Windows\System32\cmd.exe" /c C:\tmp\rad83EF8.tmp
  74. C:\tmp\rad83EF8.tmp
  75. C:\Windows\system32\vssadmin.exe List Shadows
  76. "C:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
  77.  
  78. persist
  79. --------------
  80. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run              25.02.2019 13:09   
  81. Client Server Runtime Subsystem        
  82. c:\programdata\windows\csrss.exe    25.02.2019 11:20
  83.  
  84. drop
  85. --------------
  86. C:\tmp\rad83EF8.tmp
  87.  
  88. C:\tmp\6893A5D897\cached-certs
  89. C:\tmp\6893A5D897\cached-microdesc-consensus
  90. C:\tmp\6893A5D897\lock
  91. C:\tmp\6893A5D897\state
  92.  
  93. C:\ProgramData\Windows\csrss.exe
  94.  
  95. # # #
  96. https://www.virustotal.com/#/file/9165070279d7516c907bb4172b15186fc8ba9e6ec410cfc2050789f4f1c70c18/details
  97. https://www.virustotal.com/#/file/521c58d36bad8de5582f9591bd76b62ff6096743324f4bd4cdad300c31737823/details
  98. https://www.virustotal.com/#/file/8c9b5e458aa1d4733ab5f826029721e5ab4b45e3ffff369ae022d4a67fa45267/details
  99. https://analyze.intezer.com/#/analyses/804f1fba-bc4c-44e5-92c5-4ee844128e20
  100.  
  101. VR
  102.  
  103. @
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top