API tools faq
paste
Advertisement
VRad

#troldesh_251218

VRad
Dec 26th, 2018
819
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.76 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #shade #troldesh #WSH #ZIP
  2.  
  3. https://pastebin.com/xNRiz3QW
  4.  
  5. previous contact:
  6. 24/12/18 https://pastebin.com/mMMZe73m
  7. 12/11/18 https://pastebin.com/1y8MpRZq
  8. 14/09/18 https://pastebin.com/q6L376A8
  9. 14/09/18 https://pastebin.com/L8MvAccK
  10. 12/09/18 https://pastebin.com/LNHmd7Un
  11.  
  12. FAQ:
  13. https://radetskiy.wordpress.com/2018/09/12/ioc_troldesh_ransom_120918/
  14. https://secrary.com/ReversingMalware/UnpackingShade/
  15.  
  16. attack_vector
  17. --------------
  18. email attach .ZIP > 2nd .ZIP > JS > WSH > GET 1 URL > %temp%\*.tmp
  19.  
  20. email_headers
  21. --------------
  22. Received: from talisman-so.ru (mx.talisman-so.ru [78.138.159.100])
  23. by srv8.victim1.com for <user0@org7.victim1.com>;
  24. (envelope-from lapina@talisman-so.ru)
  25. Date: Tue, 25 Dec 2018 10:00:08 +0200 (EET)
  26. Received: from COMPUTER (unknown [116.111.40.131])
  27. by talisman-so.ru (Postfix) with ESMTPSA id CBE04FFC70
  28. for <user0@org7.victim1.com>; Tue, 25 Dec 2018 10:59:57 +0300 (MSK)
  29. From: Кулаков Росбанк <lapina@srv8.victim1.com>
  30. Reply-To: Кулаков Росбанк <lapina@srv8.victim1.com>
  31. To: user0@org7.victim1.com
  32. Subject: подробности заказа
  33.  
  34. files
  35. --------------
  36. SHA-256 dc198ca833ffd29c4199fd28c399bf8db689b4329e5becfe7da2e9663c0699f1
  37. File name info.zip [Zip archive data, at least v2.0 to extract]
  38. File size 3.32 KB
  39.  
  40. SHA-256 66553d13a271a852d0faa7614ecee488d3711076892575f2df3a511c5c4ccde2
  41. File name zakaz.3001.docx.zip [Zip archive data, at least v2.0 to extract]
  42. File size 3.18 KB
  43.  
  44. SHA-256 19658b7c05aa929330984589cd45d453cab0515e6deed98195f1b4369f207b54
  45. File name информация о заказе.js
  46. File size 6.59 KB
  47.  
  48. SHA-256 50119da56e84ae4baa207a9391a0143fe5aa66c212aeba08e2d6d864af0a0d83
  49. File name sserv.jpg [PE32 executable (GUI) Intel 80386, for MS Windows]
  50. File size 1.02 MB
  51.  
  52. activity
  53. **************
  54.  
  55. pl_src: h11p:\ rusblognews {.}com/cgi-bin/sserv.jpg
  56.  
  57. .crypted000007
  58.  
  59. pilotpilot088@gmail.com
  60.  
  61. netwrk
  62. --------------
  63. ssl
  64. 91.143.93.9 www.vyeypiu4rxs5ve23kc263.com Client Hello
  65. 131.188.40.189 www.ffowns6rx.com Client Hello
  66. 194.109.206.212 www.boefdch.com Client Hello
  67. 185.101.35.159 densunnesnute.no Client Hello
  68.  
  69. http
  70. 185.50.25.48 rusblognews.com GET /cgi-bin/sserv.jpg HTTP/1.1 Mozilla/4.0 (compatible;
  71. 104.18.34.131 whatsmyip.net GET / HTTP/1.1 Mozilla/5.0
  72. 104.16.17.96 whatismyipaddress.com GET / HTTP/1.1 Mozilla/5.0
  73.  
  74. comp
  75. --------------
  76. wscript.exe 2896 185.50.25.48 80 ESTABLISHED
  77. wscript.exe 2896 185.101.35.159 443 ESTABLISHED
  78.  
  79. rad12484.tmp 2216 127.0.0.1 50956 ESTABLISHED
  80. rad12484.tmp 2216 127.0.0.1 50955 ESTABLISHED
  81. rad12484.tmp 2216 131.188.40.189 443 ESTABLISHED
  82. rad12484.tmp 2216 194.109.206.212 443 ESTABLISHED
  83. rad12484.tmp 2216 94.130.34.199 9001 ESTABLISHED
  84. rad12484.tmp 2216 195.154.119.203 9001 ESTABLISHED
  85.  
  86. [System] 0 104.16.17.96 80 TIME_WAIT
  87. [System] 0 104.18.34.131 80 TIME_WAIT
  88. rad12484.tmp 2216 91.143.93.9 995 ESTABLISHED
  89. rad12484.tmp 2216 195.154.119.203 9001 ESTABLISHED
  90.  
  91. rad12484.tmp 2216 127.0.0.1 50956 ESTABLISHED
  92. rad12484.tmp 2216 127.0.0.1 50955 ESTABLISHED
  93. rad12484.tmp 2216 94.130.34.199 9001 ESTABLISHED
  94. rad12484.tmp 2216 91.143.93.9 995 ESTABLISHED
  95. rad12484.tmp 2216 195.154.119.203 9001 ESTABLISHED
  96.  
  97. rad12484.tmp 2216 localhost 50956 ESTABLISHED
  98. rad12484.tmp 2216 localhost 50955 ESTABLISHED
  99. rad12484.tmp 2216 ra.horus-it.com 9001 ESTABLISHED
  100. rad12484.tmp 2216 91-143-93-9.icho pop3s ESTABLISHED
  101. rad12484.tmp 2216 195-154-119-203.rev.poneytelecom.eu 9001 ESTABLISHED
  102.  
  103. proc
  104. --------------
  105. "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\информация о заказе.js"
  106. "C:\Windows\System32\cmd.exe" /c C:\tmp\rad12484.tmp
  107. C:\tmp\rad12484.tmp
  108. C:\Windows\system32\vssadmin.exe List Shadows
  109. "C:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
  110. C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\chcp.com
  111.  
  112. persist
  113. --------------
  114. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 26.12.2018 12:50
  115. Client Server Runtime Subsystem c:\programdata\windows\csrss.exe 26.12.2018 13:17
  116.  
  117. drop
  118. --------------
  119. C:\tmp\rad12484.tmp
  120.  
  121. C:\ProgramData\Windows\csrss.exe
  122.  
  123. C:\tmp\6893A5D897\cached-certs
  124. C:\tmp\6893A5D897\cached-microdesc-consensus
  125. C:\tmp\6893A5D897\lock
  126. C:\tmp\6893A5D897\state
  127.  
  128. VR
  129.  
  130. # # #
  131. https://www.virustotal.com/#/file/dc198ca833ffd29c4199fd28c399bf8db689b4329e5becfe7da2e9663c0699f1/details
  132. https://www.virustotal.com/#/file/66553d13a271a852d0faa7614ecee488d3711076892575f2df3a511c5c4ccde2/details
  133. https://www.virustotal.com/#/file/19658b7c05aa929330984589cd45d453cab0515e6deed98195f1b4369f207b54/details
  134. https://www.virustotal.com/#/file/50119da56e84ae4baa207a9391a0143fe5aa66c212aeba08e2d6d864af0a0d83/details
  135. https://analyze.intezer.com/#/analyses/b9549b1d-0980-4400-9c06-95b943e85122
  136.  
  137. @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!