malware_traffic

2020-05-06 - XLS attachments from malspam pushing Dridex

May 6th, 2020
1,733
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-05-06 (WEDNESDAY) - XLS ATTACHMENTS FROM MALSPAM PUSHING DRIDEX
  2.  
  3. DATA FROM 10 EMAIL EXAMPLES:
  4.  
  5. SENDING MAIL SERVERS:
  6.  
  7. - Received: from ([94.158.83.20])
  8. - Received: from ([217.133.10.43])
  9. - Received: from ([93.32.81.205])
  10. - Received: from [116.103.20.119] ([116.103.20.119])
  11. - Received: from host2-47-static.45-85-b.business.telecomitalia.it ([85.45.47.2])
  12. - Received: from ([5.90.149.147])
  13. - Received: from ([213.60.190.210])
  14. - Received: from ([181.43.240.0])
  15. - Received: from modemtelecom.homenet.telecomitalia.it ([79.56.20.116])
  16. - Received: from ([213.26.203.148])
  17.  
  18. SPOOFED SENDING EMAIL ADDRESSES:
  19.  
  20. - From: DHL - Brook Conway <Brook.Conway@dhl.com>
  21. - From: DHL - Josephine Warren <Josephine.Warren@dhl.com>
  22. - From: DHL - Caroline Morrison <Caroline.Morrison@dhl.com>
  23. - From: DHL - Erica Lees <Erica.Lees@dhl.com>
  24. - From: DHL Express - India Sutton <India.Sutton@dhl.com>
  25. - From: "\Intuit Service\" <quickbooks@notification.intuit.com>
  26. - From: "\Intuit E-Commerce Service\" <quickbooks@notification.intuit.com>
  27. - From: "Intuit Notification" <quickbooks@notification.intuit.com>
  28. - From: <quickbooks@notification.intuit.com>
  29.  
  30. SUBJECT LINES:
  31.  
  32. - Subject: DHL - invoice(s)
  33. - Subject: DHL enclosed invoices
  34. - Subject: enclosed invoices
  35. - Subject: Invoice 322868
  36. - Subject: Invoice/Sales Receipt 382478
  37. - Subject: Invoice/Sales Receipt 798512
  38. - Subject: Purchase Order/Invoice 884120
  39. - Subject: Reminder: Invoice 492702
  40.  
  41. ATTACHMENT NAMES:
  42.  
  43. - 647 81027{DIGIT[5]).xls
  44. - 650 10317{DIGIT[5]).xls
  45. - 725 45253{DIGIT[5]).xls
  46. - 926 37283{DIGIT[5]).xls
  47. - 987 81519{DIGIT[5]).xls
  48. - Inv-382478.XLS
  49. - Inv_492702.XLS
  50. - INV_798512.XLS
  51. - invoice.322868.xls
  52. - invoice-884120.xls
  53.  
  54. ATTACHMENT EXAMPLES:
  55.  
  56. - SHA256 hash: 5ade0c4492ffe4b77776543635a5cad0eef6d4a207f69dac0a59f9ad76aa42ba
  57. - File size: 87,040 bytes
  58. - File name: 548 49931{DIGIT[5]).xls
  59. - Analysis: https://app.any.run/tasks/4fcd41f9-27ae-4361-a2f6-1599a65e970f
  60.  
  61. - SHA256 hash: 7f8f24884e26b4b508d5147f8f54269e452d1200904323544ef36e30400190b1
  62. - File size: 84,992 bytes
  63. - File name: Inv_219278.xls
  64. - Analysis: https://app.any.run/tasks/e7f30c31-66c4-4209-9b8a-edc987a20e46
  65.  
  66. BOTH OF THE ABOVE FILES RETRIEVE INFO FROM:
  67.  
  68. - 80.249.147[.]185 port 443 (HTTPS) - gorgetto[.]com - GET /?1521169368286060714509328740714221001
  69.  
  70. EXAMPLE OF TODAY'S INITIAL DRIDEX DLL:
  71.  
  72. - SHA256 hash: d94f16865de67b97fd6b953c54914d10e92cf8948843f8c8a275126af4b7805d
  73. - File size: 477,696 bytes
  74. - File location: C:\Users\[username]\AppData\Local\Temp\[random file name]
  75. - To run: regsvr32.exe -s [file name]
  76. - Analysis: https://app.any.run/tasks/8c587523-7ac5-4fe4-ba82-dc713b92279e
RAW Paste Data