pinksawtooth

DecimalIP

Date	Hash	Family
5/1	0f391cb9897dfd4ad91c66a7b17f28df8c82d8ece937a411394a7bee27a6e330	SmokeLoader
5/2	b1ac30b73b959603bb2c42f97bab6ca48f5a953a1fcb50bacb06f0eb5e2402c7	SmokeLoader
5/7	0aea25457447b35ef7bb9baa849be1a2c5a06f926d4387d9540040f34cc25851	SmokeLoader
5/8	0fd66826ca59b33c8f9d116c97a80e632cf87821fba6e9a3ea10321e757e41c2	SmokeLoader
5/10	0fd66826ca59b33c8f9d116c97a80e632cf87821fba6e9a3ea10321e757e41c2	SmokeLoader

pinksawtooth

Seamless

Date	Hash
07/03	50a3c041fdf31c2cb31c6a12a374b6180bcf9e71394c6216add477e96ca10604
07/04	ca65c88f250a9e224a010477a128361d3510297c89bb5d777f4055fa8deae465
07/05	3f949006c99d03b15ea4a1a11b40f1cf420573d2c86f1025a3b82badf18dc361
07/06	904f10629a134ad98673d7d5f9ce459e5c56abfe64cb648ccfc1577b64bc6bde
	4b00b0ece480267af051e7907458381d8a9e8506c7da67b8a8e1d74d45773d68
07/07	7def4f370d2ccc08db831ce90e94e38b00ec783fb6e0bbd15b5e6d2169b74588
	246b891eacc2c00c7f7b993e481f9b816db62fb47188c4a883a6381ee3f9afae

pinksawtooth

acc := 0
dllhash := 0
for i in dllname {
   dllhash := ROR(acc, 13);
   dllhash := dllhash + toupper(c);
}
for i in input_string {
   acc := ROR(acc, 13);
   acc := acc + toupper(c);
}

pinksawtooth

ShellcodeHashSearcher: 0x00000043: hash_ror13AddUpperDllnameHash32:0x4b6f1152 kernel32.dll!lstrlenA
ShellcodeHashSearcher: 0x00000083: hash_ror13AddUpperDllnameHash32:0x399f1068 kernel32.dll!lstrcatW
ShellcodeHashSearcher: 0x00000091: hash_ror13AddUpperDllnameHash32:0x7e296212 kernel32.dll!CloseHandle
ShellcodeHashSearcher: 0x0000009f: hash_ror13AddUpperDllnameHash32:0x7131fdc3 kernel32.dll!VirtualFree
ShellcodeHashSearcher: 0x000000ad: hash_ror13AddUpperDllnameHash32:0xffdb946b kernel32.dll!VirtualAlloc
ShellcodeHashSearcher: 0x000000bb: hash_ror13AddUpperDllnameHash32:0xe7729032 kernel32.dll!VirtualProtect
ShellcodeHashSearcher: 0x000000c9: hash_ror13AddUpperDllnameHash32:0x5a3a18a5 kernel32.dll!LoadLibraryA
ShellcodeHashSearcher: 0x000000d9: hash_ror13AddUpperDllnameHash32:0x415e131b kernel32.dll!GetModuleHandleA
ShellcodeHashSearcher: 0x000000e7: hash_ror13AddUpperDllnameHash32:0xea39c6c1 kernel32.dll!GetProcAddress
ShellcodeHashSearcher: 0x000000f5: hash_ror13AddUpperDllnameHash32:0x163ab6c5 kernel32.dll

pinksawtooth

import struct

key="APyfhCxJ"
decoded_payload=b""

with open("encoded_payload.bin", 'rb') as f:
    encoded_payload = f.read()

for i in range(len(encoded_payload)):
    decoded_payload+=struct.pack('B',(encoded_payload[i] ^  ord(key[i%len(key)])))

pinksawtooth

Date: Sat Nov 10 14:59:11 2018
MachineID: 90059c37-1320-41a4-b58d-2b75a9850d2f
GUID: {e29ac6c0-7037-11de-816d-806e6f6e6963}

Path: C:\Users\admin\AppData\Local\Temp\2018-11-10_23-45-01.exe 
Work Dir: C:\ProgramData\BEJ9QK4EIV6EK30NDC91 

Windows: Windows 7 Professional [x86]
Computer Name: PC
User Name: admin

pinksawtooth

Your files are Encrypted!
For data recovery needs decryptor.
How to buy decryptor:

1. Download "Tor Browser" from https://www.torproject.org/ and install it.

2. Open this link In the "Tor Browser"

http://huhighwfn4jihtlz.onion/sdlsgdewwbhr

pinksawtooth

checkip.amazonaws.com
ipecho.net
ipinfo.io
api.ipify.org
icanhazip.com
myexternalip.com
wtfismyip.com
ip.anysrc.net
api.ipify.org
api.ip.sb

pinksawtooth

_Z10aBypassUACv    
_Z10aCharToIntPc
_Z10aGetOsArchv    
_Z10aIntToChari    
_Z11aAutoRunSetPc
_Z11aCheckAdminv    
_Z11aCreateFilePc    
_Z11aFileExistsPKc    
_Z11aGetTempDirv    
_Z11aProcessDllPcS_

pinksawtooth

int __usercall sub_401090@<eax>(const char *a1@<ecx>, _DWORD *a2@<edi>)
{
  const char *v2; // esi
  int v3; // edx
  signed int v4; // esi
  unsigned int v5; // eax
  double v6; // st7
  double v7; // st7
  void *v8; // eax
  void *v9; // ebx