API tools faq
paste
Advertisement
malware_traffic

2020-07-28 - Password-protected XLS pushes ZLoader

malware_traffic
Jul 28th, 2020
14,515
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 1.16 KB | None | 0 0
raw download clone embed print report
  1. 2020-07-28 - ZLOADER FROM RESUME-THEMED XLS SPREADSHEET
  2.  
  3. REFERENCE:
  4.  
  5. - https://twitter.com/malware_traffic/status/1288252759695925248
  6.  
  7. MALWARE:
  8.  
  9. - SHA256 hash: acdf04f8a8ea20b485aaa4f8f30b4be075775d5599b3006bbc020aba2a5d40b7
  10. - File size: 407,040 bytes
  11. - File name: resume.xls
  12. - File description: Password protected XLS file (password: 1234) with macro for ZLoader
  13.  
  14. - SHA256 hash: 02846dbf25b333625a0720075fb47da62a946e5b0b4f9e9ba14cef514d576b37
  15. - File size: 520,192 bytes
  16. - File location: hxxp://205.185.125[.]104/files/july27.dll
  17. - File location: C:\mVVIuWs\FTBSEIh\cYNhXOc.dll
  18. - File location: C:\Users\[username]\AppData\Roaming\Itymuk\adavkie.dll
  19. - File run method: Rundll32.exe [filename],DllRegisterServer
  20. - File description: ZLoader malware DLL
  21.  
  22. INFECTION TRAFFIC:
  23.  
  24. - 205.185.125[.]104 port 80 - 205.185.125[.]104 - GET /MwRrN5
  25. - 205.185.125[.]104 port 80 - 205.185.125[.]104 - GET /files/july27.dll
  26. - 84.38.181[.]15 port 443 (HTTPS) - vlcafxbdjtlvlcduwhga[.]com - POST /web/post.php
  27. - 84.38.181[.]15 port 443 (HTTPS) - softwareserviceupdater3[.]com - POST /web/post.php
  28. - 84.38.181[.]15 port 443 (HTTPS) - softwareserviceupdater4[.]com - POST /web/post.php
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!