API tools faq
paste
malware_traffic

2020-05-06 - XLS attachments from malspam pushing Dridex

malware_traffic
May 6th, 2020
11,447
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.61 KB | None | 0 0
raw download clone embed print report
  1. 2020-05-06 (WEDNESDAY) - XLS ATTACHMENTS FROM MALSPAM PUSHING DRIDEX
  2.  
  3. DATA FROM 10 EMAIL EXAMPLES:
  4.  
  5. SENDING MAIL SERVERS:
  6.  
  7. - Received: from ([94.158.83.20])
  8. - Received: from ([217.133.10.43])
  9. - Received: from ([93.32.81.205])
  10. - Received: from [116.103.20.119] ([116.103.20.119])
  11. - Received: from host2-47-static.45-85-b.business.telecomitalia.it ([85.45.47.2])
  12. - Received: from ([5.90.149.147])
  13. - Received: from ([213.60.190.210])
  14. - Received: from ([181.43.240.0])
  15. - Received: from modemtelecom.homenet.telecomitalia.it ([79.56.20.116])
  16. - Received: from ([213.26.203.148])
  17.  
  18. SPOOFED SENDING EMAIL ADDRESSES:
  19.  
  20. - From: DHL - Brook Conway <Brook.Conway@dhl.com>
  21. - From: DHL - Josephine Warren <Josephine.Warren@dhl.com>
  22. - From: DHL - Caroline Morrison <Caroline.Morrison@dhl.com>
  23. - From: DHL - Erica Lees <Erica.Lees@dhl.com>
  24. - From: DHL Express - India Sutton <India.Sutton@dhl.com>
  25. - From: "\Intuit Service\" <quickbooks@notification.intuit.com>
  26. - From: "\Intuit E-Commerce Service\" <quickbooks@notification.intuit.com>
  27. - From: "Intuit Notification" <quickbooks@notification.intuit.com>
  28. - From: <quickbooks@notification.intuit.com>
  29.  
  30. SUBJECT LINES:
  31.  
  32. - Subject: DHL - invoice(s)
  33. - Subject: DHL enclosed invoices
  34. - Subject: enclosed invoices
  35. - Subject: Invoice 322868
  36. - Subject: Invoice/Sales Receipt 382478
  37. - Subject: Invoice/Sales Receipt 798512
  38. - Subject: Purchase Order/Invoice 884120
  39. - Subject: Reminder: Invoice 492702
  40.  
  41. ATTACHMENT NAMES:
  42.  
  43. - 647 81027{DIGIT[5]).xls
  44. - 650 10317{DIGIT[5]).xls
  45. - 725 45253{DIGIT[5]).xls
  46. - 926 37283{DIGIT[5]).xls
  47. - 987 81519{DIGIT[5]).xls
  48. - Inv-382478.XLS
  49. - Inv_492702.XLS
  50. - INV_798512.XLS
  51. - invoice.322868.xls
  52. - invoice-884120.xls
  53.  
  54. ATTACHMENT EXAMPLES:
  55.  
  56. - SHA256 hash: 5ade0c4492ffe4b77776543635a5cad0eef6d4a207f69dac0a59f9ad76aa42ba
  57. - File size: 87,040 bytes
  58. - File name: 548 49931{DIGIT[5]).xls
  59. - Analysis: https://app.any.run/tasks/4fcd41f9-27ae-4361-a2f6-1599a65e970f
  60.  
  61. - SHA256 hash: 7f8f24884e26b4b508d5147f8f54269e452d1200904323544ef36e30400190b1
  62. - File size: 84,992 bytes
  63. - File name: Inv_219278.xls
  64. - Analysis: https://app.any.run/tasks/e7f30c31-66c4-4209-9b8a-edc987a20e46
  65.  
  66. BOTH OF THE ABOVE FILES RETRIEVE INFO FROM:
  67.  
  68. - 80.249.147[.]185 port 443 (HTTPS) - gorgetto[.]com - GET /?1521169368286060714509328740714221001
  69.  
  70. EXAMPLE OF TODAY'S INITIAL DRIDEX DLL:
  71.  
  72. - SHA256 hash: d94f16865de67b97fd6b953c54914d10e92cf8948843f8c8a275126af4b7805d
  73. - File size: 477,696 bytes
  74. - File location: C:\Users\[username]\AppData\Local\Temp\[random file name]
  75. - To run: regsvr32.exe -s [file name]
  76. - Analysis: https://app.any.run/tasks/8c587523-7ac5-4fe4-ba82-dc713b92279e
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!