From 03d5f9a42bd01a111016dcc4bbd973294486f3b1 Mon Sep 17 00:00:00 2001 From: Gi7w0rm <89871181+Gi7w0rm@users.noreply.github.com> Date: Thu, 11 May 2023 21:12:08 +0200 Subject: [PATCH] Update smoke_out_01_05_2023_DE.txt --- SmokeLoader/smoke_out_01_05_2023_DE.txt | 45 +++++++++++++++++++++---- 1 file changed, 38 insertions(+), 7 deletions(-) diff --git a/SmokeLoader/smoke_out_01_05_2023_DE.txt b/SmokeLoader/smoke_out_01_05_2023_DE.txt index 4e15369..b023e4d 100644 --- a/SmokeLoader/smoke_out_01_05_2023_DE.txt +++ b/SmokeLoader/smoke_out_01_05_2023_DE.txt @@ -1,32 +1,63 @@ https://cdn.discordapp.com/attachments/1069223617117814787/1069223713129635970/asdasdb.exe + http://respekt5569.com/downloads/toolspub1.exe + http://file-file-file1.com/stats.php?id=2070&key=87fcacd7bf7286244bbe3e4cda5a36fd + http://colisumy.com/dl/buildz.exe http://potunulit.org/ http://45.9.74.80/power.exe http://host-file-host6.com/ https://nftsmean.com/pro2.exe -https://bitbucket.org/jwgo-software/software_good/downloads/SvCpJuhbT.exe + +https://bitbucket.org/jwgo-software/software_good/downloads/SvCpJuhbT.exe -> RedLine -> C2: 185.106.93.153:23523 + + https://cdn.discordapp.com/attachments/1079458314498363533/1102595020047007815/Install.exe -https://transfer.sh/get/bFxytP/rename%20this.exe + +https://transfer.sh/get/bFxytP/rename%20this.exe -> QuasarRat -> (Botnet: Build02) -> C2: 185.195.237.203:19068 + https://transfer.sh/get/3VzhHC/Jmxkxue.dat + http://yic0oosaeiy7ahng.com/ + https://github.com/Prynt-Software/DotNetDLL/raw/main/%40Ysbigbossy3.exe +-> Downloads a .Net dll from: +http://5.75.134.144/dashboard/Gdacjjk.dll -> Something reaches out to Telegram: https://api.telegram.org/bot5726741061:AAElVs4Kh5cFjADvNi4pSC5O6l_EdthxhCY/sendMessage?chat_id=5701072641&text=%0D%0A%F0%9F%94%8A%20*NEW%20EXECUTION*%0D%0A1%EF%B8%8F%E2%83%A3%20User%20=%20Admin%0D%0A2%EF%B8%8F%E2%83%A3%20Date%20UTC%20=%205/2/2023%2012:26:37%20PM%0D%0A3%EF%B8%8F%E2%83%A3%20File%20=%20@Ysbigbossy3.exe%0D%0A -> C2: 5.75.134.144:7985 (Not RedLine) + https://transfer.sh/%28/94SYzQ/IMG_5435.exe%29.zip + http://aek0aicifaloh1yo.com/ http://kingpirate.ru/tmp/ + https://cdn.discordapp.com/attachments/848958130402361345/1099311683115167754/WhiteCrypt_2.exe -https://transfer.sh/get/BqbS9m/hlthot.exe -https://github.com/Prynt-Software/DotNetDLL/raw/main/Bhyzvt.exe + +https://transfer.sh/get/BqbS9m/hlthot.exe -> Vidar (DeadDrops: https://steamcommunity.com/profiles/76561199499188534 + https://t.me/nutalse ) -> C2: http://168.119.169.139:131 + http://65.109.225.236 -> +http://keep-ass.online/HitHot.exe -> Down + +https://github.com/Prynt-Software/DotNetDLL/raw/main/Bhyzvt.exe -> C2: +5.75.134.144:80 (likely down at point of scan because now a webserver (see result above)) + http://hoh0aeghwugh2gie.com/ + https://transfer.sh/get/dQEV74/Medusa%20%284%29.exe -https://transfer.sh/get/DO72v5/zxz668_crypted.exe + +https://transfer.sh/get/DO72v5/zxz668_crypted.exe -> Nope + http://193.233.232.253/s.exe + http://wa5zu7sekai8xeih.com/ + https://cdn.discordapp.com/attachments/1082332577060356128/1087147141560012851/635965506.exe?raw -https://transfer.sh/C0XDc5/Launcher.exe + +https://transfer.sh/C0XDc5/Launcher.exe -> DCRat -> C2: 544560.clmonth.nyashteam.top/nyashsupport.php + http://hie7doodohpae4na.com/ + https://leaderspro.ps/tmp/index.php + https://cdn.discordapp.com/attachments/920726397322928168/1079835676448669768/qwfqwf.exe + https://cdn.discordapp.com/attachments/1091449028107051142/1094520407274569738/bildak.exe + https://github.com/Abraham3210/bitcoin/releases/download/New/2-1_2023-04-14_08-31.exe -https://transfer.sh/get/2vYlhu/steamconnect.exe + +https://transfer.sh/get/2vYlhu/steamconnect.exe -> Nope