malware_traffic

2020-07-28 - Password-protected XLS pushes ZLoader

Jul 28th, 2020
8,085
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-07-28 - ZLOADER FROM RESUME-THEMED XLS SPREADSHEET
  2.  
  3. REFERENCE:
  4.  
  5. - https://twitter.com/malware_traffic/status/1288252759695925248
  6.  
  7. MALWARE:
  8.  
  9. - SHA256 hash: acdf04f8a8ea20b485aaa4f8f30b4be075775d5599b3006bbc020aba2a5d40b7
  10. - File size: 407,040 bytes
  11. - File name: resume.xls
  12. - File description: Password protected XLS file (password: 1234) with macro for ZLoader
  13.  
  14. - SHA256 hash: 02846dbf25b333625a0720075fb47da62a946e5b0b4f9e9ba14cef514d576b37
  15. - File size: 520,192 bytes
  16. - File location: hxxp://205.185.125[.]104/files/july27.dll
  17. - File location: C:\mVVIuWs\FTBSEIh\cYNhXOc.dll
  18. - File location: C:\Users\[username]\AppData\Roaming\Itymuk\adavkie.dll
  19. - File run method: Rundll32.exe [filename],DllRegisterServer
  20. - File description: ZLoader malware DLL
  21.  
  22. INFECTION TRAFFIC:
  23.  
  24. - 205.185.125[.]104 port 80 - 205.185.125[.]104 - GET /MwRrN5
  25. - 205.185.125[.]104 port 80 - 205.185.125[.]104 - GET /files/july27.dll
  26. - 84.38.181[.]15 port 443 (HTTPS) - vlcafxbdjtlvlcduwhga[.]com - POST /web/post.php
  27. - 84.38.181[.]15 port 443 (HTTPS) - softwareserviceupdater3[.]com - POST /web/post.php
  28. - 84.38.181[.]15 port 443 (HTTPS) - softwareserviceupdater4[.]com - POST /web/post.php
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×