#smokeloader_190923

#IOC #OptiData #VR #smokeloader #RAR #202338831 #packed

https://pastebin.com/xEwN5JPc

previous_contact:
https://pastebin.com/GMwv38g4
https://pastebin.com/DgFvarG0
https://pastebin.com/AayUSaXq
https://pastebin.com/RDVXCe0J
https://pastebin.com/QpG70u8T
...

FAQ:
https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader
https://radetskiy.wordpress.com/2018/10/19/ioc_smokeloader_111018/
https://isc.sans.edu/diary/Analysis+of+RAR+Exploit+Files+CVE202338831/30164/

attack_vector
--------------
email attach .RAR (exploit) > .exe1 > .exe2 [smokeloader] > .pdf > C2

# # # # # # # #
email_headers
# # # # # # # #
Date: Tue, 19 Sep 2023 06:14:01 +0300
From: Головний бухгалтер Централізованої бухгалтерії <y.baranova@fiat.kharkiv.ua>
Subject: Fw: Рахунок до оплати
Message-Id: <F14DB07F-00E2-C294-9D97-EC9E9BDA3D69@fiat.kharkiv.ua>
Received: from mail.agm.kh.ua (88.198.13.209) by
Received: from [92.60.181.217] (helo=[127.0.0.1])	by mail.agm.kh.ua with esmtpa (Exim 4.92)
Reply-To: apostol_avto@meta.ua
X-Mailer: iPad Mail (13E238)
Return-Path: y.baranova@fiat.kharkiv.ua

# # # # # # # #
files
# # # # # # # #
SHA-256		    7d7262ab5298abd0e91b6831e37ef0156ded4fdceeaf8f8841c9a80d31f33f8e
File name	    Рахунок_до_оплати_389.zip               [ WinRAR CVE-2023-38831 ]
File size	    660.55 KB (676402 bytes)

SHA-256		    cfc44f1399e3d28e55c32bcc73539358e5ac88c0d6a19188a52b161b506bea91
File name	    Рахунок_до_оплати_389.exe               [  PE32 executable ]    packed
File size	    571.07 KB (584778 bytes)

SHA-256		    a8a3130c779904e23b50d69b4e73a714b345e296feebb9f64a732d5c73e7973b
File name	    pax_389.exe                             [  PE32 executable ]    payload
File size	    223.00 KB (228352 bytes)

SHA-256		    b24c99ca816f7ac8ca87a352ed4f44be9d8a21519dd1f408739da958b580be0c
File name	    389.pdf                                 [  PDF doc v 1.7 ]      clean
File size       200.67 KB (205489 bytes)

# # # # # # # #
activity
# # # # # # # #

PL_SCR          email_attach

C2

dublebomber {.ru/
yavasponimayu {.ru/
nomnetozhedenyuzhkanuzhna {.ru/
prostosmeritesya {.ru/
ipoluchayteudovolstvie {.ru/
super777bomba {.ru/
specnaznachenie {.ru/
zakrylki809 {.ru/
propertyminsk {.by/
iloveua {.ir/
moyabelorussiya {.by/
tvoyaradostetoya {.ru/
zasadacafe {.by/
restmantra {.by/
kozachok777 {.ru/
propertyiran {.ir/
sakentoshi {.ru/
popuasyfromua {.ru/
diplombar {.by/

netwrk
--------------
85.143.216.129	dublebomber {.ru	    80	HTTP	POST / HTTP/1.1  (application/x-www-form-urlencoded)	Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
194.58.112.174	specnaznachenie{ .ru	80	HTTP	POST / HTTP/1.1  (application/x-www-form-urlencoded)	Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
85.143.216.129	sakentoshi{ .ru	        80	HTTP	POST / HTTP/1.1  (application/x-www-form-urlencoded)	Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko

comp
--------------
n/a

proc
--------------
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\operator\Desktop\Рахунок_до_оплати_389.zip"
	C:\tmp\Rar$EXa1768.13755\Рахунок_до_оплати_389.exe
		C:\tmp\Rar$EXa1768.13755\pax_389.exe
		"C:\Program Files\PDF\PDFXCview.exe" "C:\tmp\Rar$EXa1768.13755\389.pdf"
v

persist
--------------
n/a

drop
--------------
%tmp%\Rar$EXa1768.13755\Рахунок_до_оплати_389.exe
%tmp%\Rar$EXa1768.13755\pax_389.exe
%tmp%\Rar$EXa1768.13755\389.pdf

# # # # # # # #
additional info
# # # # # # # #
n/a

# # # # # # # #
VT & Intezer
# # # # # # # #
https://www.virustotal.com/gui/file/7d7262ab5298abd0e91b6831e37ef0156ded4fdceeaf8f8841c9a80d31f33f8e/details
https://www.virustotal.com/gui/file/cfc44f1399e3d28e55c32bcc73539358e5ac88c0d6a19188a52b161b506bea91/details
https://analyze.intezer.com/analyses/7c51c235-1de7-45cb-bfe9-f6cb48f4bfb8
https://www.virustotal.com/gui/file/a8a3130c779904e23b50d69b4e73a714b345e296feebb9f64a732d5c73e7973b/details
https://www.virustotal.com/gui/file/b24c99ca816f7ac8ca87a352ed4f44be9d8a21519dd1f408739da958b580be0c/details

VR