SHARE
TWEET

#troldesh_251218

VRad Dec 26th, 2018 (edited) 244 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #shade #troldesh #WSH #ZIP
  2.  
  3. https://pastebin.com/xNRiz3QW
  4.  
  5. previous contact:
  6. 24/12/18        https://pastebin.com/mMMZe73m
  7. 12/11/18        https://pastebin.com/1y8MpRZq
  8. 14/09/18        https://pastebin.com/q6L376A8
  9. 14/09/18        https://pastebin.com/L8MvAccK
  10. 12/09/18        https://pastebin.com/LNHmd7Un
  11.  
  12. FAQ:
  13. https://radetskiy.wordpress.com/2018/09/12/ioc_troldesh_ransom_120918/
  14. https://secrary.com/ReversingMalware/UnpackingShade/
  15.  
  16. attack_vector
  17. --------------
  18. email attach .ZIP > 2nd .ZIP > JS > WSH > GET 1 URL >  %temp%\*.tmp
  19.  
  20. email_headers
  21. --------------
  22. Received: from talisman-so.ru (mx.talisman-so.ru [78.138.159.100])
  23.     by srv8.victim1.com for <user0@org7.victim1.com>;
  24.     (envelope-from lapina@talisman-so.ru)
  25. Date: Tue, 25 Dec 2018 10:00:08 +0200 (EET)
  26. Received: from COMPUTER (unknown [116.111.40.131])
  27.     by talisman-so.ru (Postfix) with ESMTPSA id CBE04FFC70
  28.     for <user0@org7.victim1.com>; Tue, 25 Dec 2018 10:59:57 +0300 (MSK)
  29. From: Кулаков Росбанк <lapina@srv8.victim1.com>
  30. Reply-To: Кулаков Росбанк <lapina@srv8.victim1.com>              
  31. To: user0@org7.victim1.com
  32. Subject: подробности заказа
  33.  
  34. files
  35. --------------
  36. SHA-256 dc198ca833ffd29c4199fd28c399bf8db689b4329e5becfe7da2e9663c0699f1
  37. File name   info.zip            [Zip archive data, at least v2.0 to extract]
  38. File size   3.32 KB
  39.  
  40. SHA-256 66553d13a271a852d0faa7614ecee488d3711076892575f2df3a511c5c4ccde2
  41. File name   zakaz.3001.docx.zip     [Zip archive data, at least v2.0 to extract]
  42. File size   3.18 KB
  43.  
  44. SHA-256 19658b7c05aa929330984589cd45d453cab0515e6deed98195f1b4369f207b54
  45. File name   информация о заказе.js
  46. File size   6.59 KB
  47.  
  48. SHA-256 50119da56e84ae4baa207a9391a0143fe5aa66c212aeba08e2d6d864af0a0d83
  49. File name   sserv.jpg           [PE32 executable (GUI) Intel 80386, for MS Windows]
  50. File size   1.02 MB
  51.  
  52. activity
  53. **************
  54.  
  55. pl_src:     h11p:\ rusblognews {.}com/cgi-bin/sserv.jpg
  56.  
  57. .crypted000007
  58.  
  59. pilotpilot088@gmail.com
  60.  
  61. netwrk
  62. --------------
  63. ssl
  64. 91.143.93.9         www.vyeypiu4rxs5ve23kc263.com   Client Hello   
  65. 131.188.40.189      www.ffowns6rx.com       Client Hello   
  66. 194.109.206.212     www.boefdch.com         Client Hello   
  67. 185.101.35.159      densunnesnute.no        Client Hello
  68.  
  69. http
  70. 185.50.25.48        rusblognews.com     GET /cgi-bin/sserv.jpg HTTP/1.1     Mozilla/4.0 (compatible;
  71. 104.18.34.131       whatsmyip.net       GET / HTTP/1.1              Mozilla/5.0
  72. 104.16.17.96        whatismyipaddress.com   GET / HTTP/1.1              Mozilla/5.0
  73.  
  74. comp
  75. --------------
  76. wscript.exe 2896    185.50.25.48    80  ESTABLISHED
  77. wscript.exe 2896    185.101.35.159  443 ESTABLISHED
  78.  
  79. rad12484.tmp    2216    127.0.0.1   50956   ESTABLISHED
  80. rad12484.tmp    2216    127.0.0.1   50955   ESTABLISHED
  81. rad12484.tmp    2216    131.188.40.189  443 ESTABLISHED
  82. rad12484.tmp    2216    194.109.206.212 443 ESTABLISHED
  83. rad12484.tmp    2216    94.130.34.199   9001    ESTABLISHED
  84. rad12484.tmp    2216    195.154.119.203 9001    ESTABLISHED
  85.  
  86. [System]    0   104.16.17.96    80  TIME_WAIT
  87. [System]    0   104.18.34.131   80  TIME_WAIT
  88. rad12484.tmp    2216    91.143.93.9 995 ESTABLISHED
  89. rad12484.tmp    2216    195.154.119.203 9001    ESTABLISHED
  90.  
  91. rad12484.tmp    2216    127.0.0.1   50956   ESTABLISHED
  92. rad12484.tmp    2216    127.0.0.1   50955   ESTABLISHED
  93. rad12484.tmp    2216    94.130.34.199   9001    ESTABLISHED
  94. rad12484.tmp    2216    91.143.93.9 995 ESTABLISHED
  95. rad12484.tmp    2216    195.154.119.203 9001    ESTABLISHED
  96.  
  97. rad12484.tmp    2216    localhost               50956   ESTABLISHED
  98. rad12484.tmp    2216    localhost               50955   ESTABLISHED
  99. rad12484.tmp    2216    ra.horus-it.com             9001    ESTABLISHED
  100. rad12484.tmp    2216    91-143-93-9.icho            pop3s   ESTABLISHED
  101. rad12484.tmp    2216    195-154-119-203.rev.poneytelecom.eu 9001    ESTABLISHED
  102.  
  103. proc
  104. --------------
  105. "C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\информация о заказе.js"
  106. "C:\Windows\System32\cmd.exe" /c C:\tmp\rad12484.tmp
  107. C:\tmp\rad12484.tmp
  108. C:\Windows\system32\vssadmin.exe List Shadows
  109. "C:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
  110. C:\Windows\system32\cmd.exe  C:\Windows\SysWOW64\chcp.com
  111.  
  112. persist
  113. --------------
  114. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run              26.12.2018 12:50   
  115. Client Server Runtime Subsystem         c:\programdata\windows\csrss.exe    26.12.2018 13:17
  116.  
  117. drop
  118. --------------
  119. C:\tmp\rad12484.tmp
  120.  
  121. C:\ProgramData\Windows\csrss.exe
  122.  
  123. C:\tmp\6893A5D897\cached-certs                                 
  124. C:\tmp\6893A5D897\cached-microdesc-consensus
  125. C:\tmp\6893A5D897\lock
  126. C:\tmp\6893A5D897\state
  127.  
  128. VR
  129.  
  130. # # #
  131. https://www.virustotal.com/#/file/dc198ca833ffd29c4199fd28c399bf8db689b4329e5becfe7da2e9663c0699f1/details
  132. https://www.virustotal.com/#/file/66553d13a271a852d0faa7614ecee488d3711076892575f2df3a511c5c4ccde2/details
  133. https://www.virustotal.com/#/file/19658b7c05aa929330984589cd45d453cab0515e6deed98195f1b4369f207b54/details
  134. https://www.virustotal.com/#/file/50119da56e84ae4baa207a9391a0143fe5aa66c212aeba08e2d6d864af0a0d83/details
  135. https://analyze.intezer.com/#/analyses/b9549b1d-0980-4400-9c06-95b943e85122
  136.  
  137. @
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top