SHARE
TWEET

2019-03-14 - Malware from password-protected Word doc

malware_traffic Mar 14th, 2019 719 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2019-03-14 - MALWARE FROM PASSWORD-PROTECTED WORD DOC
  2.  
  3. PASSWORD-PROTECTED WORD DOC (PASSWORD: 1234):
  4.  
  5. e818fc71a8b67019f835dd0ef0e1b7fc05ad83450a94a8022a7d460849b18d14 - Dennis Cadet Resume.doc
  6.  
  7. INFECTION TRAFFIC:
  8.  
  9. 209.141.34[.]8 port 80 - 209.141.34[.]8 - GET /test1.exe
  10. 209.141.50[.]64 port 2404 - toptoptop1[.]online - encoded TCP traffic for follow-up EXE
  11. 109.94.209[.]127 port 443 - packals[.]pw - attempted TCP connections, no response from server
  12. DNS query for annamount[.]pw
  13. 185.48.56[.]231 port 443 - againston[.]pw - HTTPS traffic
  14. 46.249.62[.]199 port 80 - 46.249.62[.]199 - GET /Sw9JKmXqaSj.exe
  15. 46.249.62[.]199 port 80 - 46.249.62[.]199 - GET /Tinx86_14.exe
  16. 82.146.42[.]174 port 80 - 82.146.42[.]174 - GET /sin.png
  17. 185.48.56[.]231 port 80 - poperitte[.]host - GET /data2.php?0123456789ABCDEF
  18. 82.146.42[.]174 port 80 - 82.146.42[.]174 - GET /tin.png
  19. 185.48.56[.]231 port 443 - poperitte[.]host - HTTPS traffic
  20.  
  21. POST-INFECTION MALWARE LOCATION (AND SIZE):
  22.  
  23. C:\ProgramData\{BCA7A0D8-ABD8-4214-989E-6E63D5E42870}\dkdkq.exe (400,118,785 bytes)
  24. C:\Users\[username]\AppData\Local\Temp\IXP000.TMP\ADDSTA~2.EXE (400,274,433 bytes)
  25. C:\Users\[username]\AppData\Local\Temp\IXP001.TMP\OUT_23~1.EXE (400,118,785 bytes)
  26. C:\Users\[username]\AppData\Local\Temp\dwn.exe (707,584 bytes)
  27. C:\Users\[username]\AppData\Local\Temp\PERSPIRATIONS.exe (400,274,433 bytes)
  28. C:\Users\[username]\AppData\Local\Temp\PERSPIRATIONS.vbs (102 bytes)
  29. C:\Users\[username]\AppData\Local\Temp\qwerty2.exe (811,520 bytes)
  30.  
  31. POST-INFECTION MALWARE SHA256 HASHES:
  32.  
  33. f190bb90accc49e782f6e355c25f154947594b4de5d2cb811351bc2c718f28e4 - ADDSTA~2.EXE
  34. cdd40b1b705814dbcae78747c3bf72ac4f154edf487b7ebf9c7158a33960ef66 - OUT_23~1.EXE
  35. fefa1a801ab5ee96902ea5586d4ff828b27fbfe4f197d6543a56aefeb8829de1 - PERSPIRATIONS.exe
  36. 06050ba091b3fe76ec02699521ee0f51d755ef44de31e480edbe33bc1531b381 - PERSPIRATIONS.vbs
  37. ee53b053a490ce01ce692f07bebe06fd4b05809b286595e71ec7e5bae1bd914b - dkdkq.exe
  38. ebea02060fa0bcf1cd41b30c9f965e16a6ce7ab7a9bc0c7a7158cd4205808cfe - dwn.exe
  39. b304e1a36f406a28c2327f9391d3b50e1269aceb6e674230ffacfc9cf79cb927 - qwerty2.exe
  40.  
  41. SANDBOX ANALYSIS - QWERTY2.EXE:
  42.  
  43. https://app.any.run/tasks/a55ca1a6-4e8a-447d-a8b7-2123180d18f7
  44. https://cape.contextis.com/analysis/47958/
  45. https://www.reverse.it/sample/b304e1a36f406a28c2327f9391d3b50e1269aceb6e674230ffacfc9cf79cb927
  46.  
  47. SANDBOX ANALYSIS - DWN.EXE:
  48.  
  49. https://app.any.run/tasks/16505304-9425-49a6-8295-1a2ab9f1ee2c
  50. https://cape.contextis.com/analysis/47964/
  51. https://www.reverse.it/sample/ebea02060fa0bcf1cd41b30c9f965e16a6ce7ab7a9bc0c7a7158cd4205808cfe
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top