diff --git a/smoke_out_20_04_2023.txt b/smoke_out_20_04_2023.txt new file mode 100644 index 0000000..1a0e28a --- /dev/null +++ b/smoke_out_20_04_2023.txt @@ -0,0 +1,74 @@ +################################################################################################### +SmokeLoader C2 URLs: + +http://hoh0aeghwugh2gie.com/ +http://aek0aicifaloh1yo.com/ +http://hie7doodohpae4na.com/ +http://wa5zu7sekai8xeih.com/ +http://alpatrik.com/ +http://host-file-host6.com/ +http://yic0oosaeiy7ahng.com/ +http://cletonmy.com/ +http://aapu.at/tmp/ +http://kingpirate.ru/tmp/ +http://firsttrusteedrx.ru/tmp/ +http://potunulit.org/ + +################################################################################################### +SmokeLoader additional distribution: + +https://leaderspro.ps/tmp/index.php -> SmokeLoader Spreader (pub1) +http://79.137.194.41/s.exe -> SmokeLoader (sprg) +http://hugersi.com/dl/6523.exe -> SmokeLoader +http://respekt5569.com/downloads/toolspub1.exe -> SmokeLoader pub1 + +################################################################################################### +Payloads: + +http://h168476.srv22.test-hf.su/114.exe -> Google/YouTube Stealer: https://tria.ge/230419-tgx5gade8z/behavioral2 (The same as spread via Raccoon?) + 2x RedLine: C2 1 = 45.77.166.103:37904 (Botnet: kyotranbot) & C2 2 = 178.32.215.165:9203 (Botnet: LogsDiller Cloud (Buy Sub: @logsdillabot)) + Pastebin: https://pastebin.com/raw/aCZb2pjR used for Unknown Clipper: http://185.159.129.168/clpr/OWUsN2UsODMsOWIsOWUsODIsOTAsOTEsNjQsN2Ys + +https://transfer.sh/get/KgDWVh/34554.exe -> RedLine (Botnet: care4art) C2: 103.173.229.190:18740 + XWorm -> C2: 149.102.231.91:5000 +-> http://pastebin.com/raw/aCZb2pjR +Clipper: http://185.159.130.81/clpr/OWUsN2UsODMsOWIsOWUsODIsOTAsOTEsNjQsN2Ys + Unknown YouTube Stealer + Something from: http://5.75.169.249/Client.jpg + +http://colisumy.com/dl/buildz.exe -> +djvu Ransomware: +http://colisumy.com/dl/build2.exe -> http://zexeq.com/raud/get.php?pid=C896C06CBBE00268A98E10D2B33685D3&first=true -> +http://zexeq.com/files/1/build3.exe ++ Vidar Stealer : C2 DeadDrop https://steamcommunity.com/profiles/76561199497218285 (C2: http://116.203.7.73)+ https://t.me/tg_duckworld (C2: http://116.203.15.24:80) +https://tria.ge/230420-l9rjdshb43/behavioral1 + +https://github.com/Abraham3210/bitcoin/releases/download/New/2-1_2023-04-14_08-31.exe -> Raccoon Stealer C2: http://trastform.com + Key: c610d498a9c34173052f3f4fcea051af + +https://charlslogin.com/out/msvc_x64_86.exe -> Loader C2: 195.201.81.165:21891 -> http://195.201.81.165/loadaddr -> http://195.201.81.165/scripts/ffmpg.bin -> Stealer with C2: http://195.201.81.165:27134/ (websocket) <- Identified as #NetDooka Framework: https://twitter.com/Gi7w0rm/status/1649005498069401601 (View full thread) | https://tria.ge/230420-ml7q5sbc8z/behavioral2 + https://tria.ge/230420-mpceeabc9z/behavioral1 + +https://store1.gofile.io/download/02e69779-8bda-4464-9669-05fb0e8f9ae7/74.0.3729.108_chrome_installer.exe -> RedLine Stealer C2: 149.248.17.106:27825 + +https://transfer.sh/get/qKWLc1/install.exe -> RedLine Stealer (Botnet: @COSMICCLOUDADMIN) -> C2: 20.226.69.130:30497 + +http://179.43.155.247/cc.exe -> Rhadamanthys -> C2: http://179.43.142.201/img/favicon.png + +http://45.9.74.80/power.exe -> Amadey -> C2: 77.73.134.27/n9kdjc3xSf/index.php -> XMRig + Fabookie -> C2: http://bz.bbbeioaag.com/sts/cimage.jpg -> https://tria.ge/230419-mvglbaaa56 + https://tria.ge/230419-m1ptwaaa68/behavioral2 + +https://www.jani.hu/upload/files/cheese_sDu.bat -> Amadey -> C2: http://specialblue.in/dF30Hn4m/index.php + http://specialblue.pm/dF30Hn4m/index.php +Additional: +http://specialblue.in/dF30Hn4m/Plugins/clip64.dll +http://specialblue.in/dF30Hn4m/Plugins/cred64.dll + +https://nftsmean.com/pro2.exe -> RedLine (BotNet: hawkding002) -> C2: 155.94.235.246:17420 + +https://transfer.sh/get/vC3irg/31231.exe -> RedLine -> C2: 157.90.123.253:30113 + http://pastebin.com/raw/aCZb2pjR -> Clipper: http://185.159.130.81/clpr/OWUsN2UsODMsOWIsOWUsODIsOTAsOTEsNjQsN2Ys + +http://45.138.74.247/shared/Ruzvelt.exe -> Vidar Stealer -> DeadDrops: https://steamcommunity.com/profiles/76561199494593681 + https://t.me/auftriebs -> C2s: http://116.202.6.237 + http://195.201.44.70:80 -> https://tria.ge/230420-spd6wsaf77/behavioral2 + +################################################################################################### +Payloads (down/not executed) + +https://oshi.at/XjYU -> Down at time of Triage Scan +https://bit.ly/3LcCfT6 -> down at time of triage scan +https://transfer.sh/get/7RISXd/JDSFRY_crypted.exe -> No Execution in Triage +https://radiobridge-egy.com/tmp/index.php -> Bootkit ??? https://tria.ge/230420-mh8h9shc75 + https://tria.ge/230420-tbfy1aah35/behavioral1 +https://cdn.discordapp.com/attachments/920726397322928168/1079835676448669768/qwfqwf.exe -> Down ? +https://cdn.discordapp.com/attachments/1082332577060356128/1087147141560012851/635965506.exe?raw -> Down? +https://cdn.discordapp.com/attachments/1091449028107051142/1094520407274569738/bildak.exe -> Down +https://cdn.discordapp.com/attachments/1069223617117814787/1069223713129635970/asdasdb.exe -> Down \ No newline at end of file