malware_traffic

2020-07-28 - Password-protected XLS pushes ZLoader

Jul 28th, 2020
7,224
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-07-28 - ZLOADER FROM RESUME-THEMED XLS SPREADSHEET
  2.  
  3. REFERENCE:
  4.  
  5. - https://twitter.com/malware_traffic/status/1288252759695925248
  6.  
  7. MALWARE:
  8.  
  9. - SHA256 hash: acdf04f8a8ea20b485aaa4f8f30b4be075775d5599b3006bbc020aba2a5d40b7
  10. - File size: 407,040 bytes
  11. - File name: resume.xls
  12. - File description: Password protected XLS file (password: 1234) with macro for ZLoader
  13.  
  14. - SHA256 hash: 02846dbf25b333625a0720075fb47da62a946e5b0b4f9e9ba14cef514d576b37
  15. - File size: 520,192 bytes
  16. - File location: hxxp://205.185.125[.]104/files/july27.dll
  17. - File location: C:\mVVIuWs\FTBSEIh\cYNhXOc.dll
  18. - File location: C:\Users\[username]\AppData\Roaming\Itymuk\adavkie.dll
  19. - File run method: Rundll32.exe [filename],DllRegisterServer
  20. - File description: ZLoader malware DLL
  21.  
  22. INFECTION TRAFFIC:
  23.  
  24. - 205.185.125[.]104 port 80 - 205.185.125[.]104 - GET /MwRrN5
  25. - 205.185.125[.]104 port 80 - 205.185.125[.]104 - GET /files/july27.dll
  26. - 84.38.181[.]15 port 443 (HTTPS) - vlcafxbdjtlvlcduwhga[.]com - POST /web/post.php
  27. - 84.38.181[.]15 port 443 (HTTPS) - softwareserviceupdater3[.]com - POST /web/post.php
  28. - 84.38.181[.]15 port 443 (HTTPS) - softwareserviceupdater4[.]com - POST /web/post.php
RAW Paste Data