SHARE
TWEET

2018-12-31 - malspam uses Excel attachment to push AZORult

malware_traffic Dec 31st, 2018 751 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2018-12-31 - MALSPAM USES ATTACHED EXCEL SPREADSHEET TO PUSH AZORULT:
  2.  
  3. EMAIL HEADERS:
  4.  
  5. Received: from psd-server1.posibilidades.com.mx (apartacel.com [200.52.172.106])
  6.     by [removed]; Sun, 30 Dec 2018 04:59:39 +0200
  7.     (envelope-from <export@grupo-mci.com>)
  8. Received: from webmail.apartacel.com (localhost.localdomain [127.0.0.1])
  9.     by psd-server1.posibilidades.com.mx (Postfix) with ESMTPA id 1F42032807BC;
  10.     Sun, 30 Dec 2018 18:42:38 -0600 (CST)
  11. MIME-Version: 1.0
  12. Content-Type: multipart/mixed;
  13.     boundary="=_eb7edd028eb5b75602661293299cae61"
  14. Date: Mon, 31 Dec 2018 03:42:37 +0300
  15. From: "Albena ( Grupo MCI )" <export@grupo-mci.com>
  16. To: export@grupo-mci.com
  17. Subject: Fwd: Order List
  18. Message-ID: <bb523c72318fe15a6d120e1ad93e49f8@grupo-mci.com>
  19. X-Sender: export@grupo-mci.com
  20. User-Agent: Roundcube Webmail/1.2.7
  21. X-PPP-Message-ID: <20181231004238.13190.65920@psd-server1.posibilidades.com.mx>
  22. X-PPP-Vhost: apartacel.com
  23.  
  24. ASSOCIATED MALWARE:
  25.  
  26. - SHA256 hash: b6d89698ec7f80a53596e636e5f5fadfbd162e991eee80a9251cdc9d3443f3c5
  27. - File size: 19,956 bytes
  28. - File name: Quotation_201312.xlam
  29. - File description: Email attachment - Excel spreadsheet with macro for AZOrult
  30. - Any.Runn analysis: https://app.any.run/tasks/76c67c50-7f2b-43f9-b7f9-cfdc7e70e4cd
  31. - CAPE sandbox analysis: https://cape.contextis.com/analysis/28909/
  32. - Reverse.it analysis: https://www.reverse.it/sample/b6d89698ec7f80a53596e636e5f5fadfbd162e991eee80a9251cdc9d3443f3c5
  33.  
  34. - SHA256 hash: d35ab5a67e20a9761bdc98e0b1e1c6a9cd9cb4d4db3bb577ef4dc242110bfe98
  35. - File size: 719,360 bytes
  36. - File location: hxxp://wp12033108.server-he[.]de/Home/uber/0120950.jpg
  37. - File location: C:\Users\[username]\AppData\Roaming\knsoh\oshgb.exe
  38. - File description: AZORult EXE retrieved by XLS macro
  39. - Any.Runn analysis: https://app.any.run/tasks/9c99e787-a78f-40a7-b0df-d95e87ca9174
  40. - CAPE sandbox analysis: https://cape.contextis.com/analysis/28907/
  41. - Reverse.it analysis: https://www.reverse.it/sample/d35ab5a67e20a9761bdc98e0b1e1c6a9cd9cb4d4db3bb577ef4dc242110bfe98
  42.  
  43. INFECTION TRAFFIC:
  44.  
  45. MACRO RETRIEVES AZORULT MALWARE EXE:
  46.  
  47. - 5.35.225[.]83 port 80 - wp12033108.server-he[.]de - HEAD /Home/uber/0120950.jpg
  48. - 5.35.225[.]83 port 80 - wp12033108.server-he[.]de - GET /Home/uber/0120950.jpg
  49.  
  50. AZORULT POST-INFECTION TRAFFIC:
  51.  
  52. - 185.112.249[.]198 port 80 - exmops[.]ml - POST /c1/index.php
  53. - 185.112.249[.]198 port 80 - exmops[.]ml - POST /c1/index.php
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top