SHARE
TWEET

2018-12-26 - malspam using malicious XLS file attachments

malware_traffic Dec 26th, 2018 955 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2018-12-26 - MALSPAM CAMPAIGN USING MALICIOUS XLS FILE ATTACHMENTS
  2.  
  3. MALSPAM DATA:
  4.  
  5. Subject: pending payments to be cleared TODAY, immediately
  6. Subject: DEC-18 DLR PAYMENTS
  7. Senders: various
  8. Date/Time:
  9. - 2018-12-26 06:00 - 07:00 UTC: 1,923 emails
  10. - 2018-12-26 07:00 - 08:00 UTC: 3,456 emails
  11. - 2018-12-26 08:00 - 09:00 UTC: 1,946 emails
  12. - 2018-12-26 09:00 - 10:00 UTC: 1,986 emails
  13. - 2018-12-26 10:00 - 11:00 UTC: 2,611 emails
  14. - 2018-12-26 11:00 - 12:00 UTC: 519 emails
  15. - 2018-12-26 12:00 - 13:00 UTC: 2 emails
  16. - 2018-12-26 13:00 - 14:00 UTC: 6 emails
  17. - 2018-12-26 14:00 - 15:00 UTC: 6 emails
  18.  
  19. MALSPAM EXAMPLES:
  20.  
  21. - Example 1 of 2: https://pastebin.com/dYr4n6r3
  22. - Example 2 of 2: https://pastebin.com/m9EAsCbi
  23.  
  24. XLS FILE ATTACHMENTS:
  25.  
  26. - SHA256 hash: 308c49b40b7bb4f59ad489e14c15ec4f68e69f8fcef835046d62c08266340344
  27. - File size: 184,320 bytes
  28. - File name: DEC-18 PAYMENTS.xls
  29. - Any Run sandbox: https://app.any.run/tasks/933f743a-2969-436d-acc1-befff97f0889
  30. - CAPE sandbox: https://cape.contextis.com/analysis/28626/
  31. - Reverse.it analysis: https://www.reverse.it/sample/308c49b40b7bb4f59ad489e14c15ec4f68e69f8fcef835046d62c08266340344
  32.  
  33. - SHA256 hash: 976fc8e82dc2c1b6ba7d8eecf37ca289c228b785c8ea4dbea6045e84580ed41c
  34. - File size: 184,320 bytes
  35. - File name: Dec-18 pending payments.xls
  36. - Any Run sandbox: https://app.any.run/tasks/6993e22f-61de-40e9-a676-c1c051921a2b
  37. - CAPE sandbox: https://cape.contextis.com/analysis/28627/
  38. - Reverse.it analysis: https://www.reverse.it/sample/976fc8e82dc2c1b6ba7d8eecf37ca289c228b785c8ea4dbea6045e84580ed41c
  39.  
  40. MALWARE RETRIEVED BY XLS MACRO:
  41.  
  42. - SHA256 hash: a5bc8c8b89177f961aa5c0413716cb94b753efbea1a1ec9061be53b1be5cd36a
  43. - File size: 454,656 bytes
  44. - File location: hxxp://office365advance[.]com/update
  45. - Any Run sandbox: https://app.any.run/tasks/bb4c94bf-1d01-4cac-9b6e-1b2373b70cef
  46. - CAPE sandbox: https://cape.contextis.com/analysis/28630/
  47. - Reverse.it analysis: https://www.reverse.it/sample/a5bc8c8b89177f961aa5c0413716cb94b753efbea1a1ec9061be53b1be5cd36a/
  48.  
  49. DLL FROM INFECTED WINDOWS HOST:
  50.  
  51. - SHA256 hash: 79a56ca8a7fdeed1f09466af66c24ddef5ef97ac026297f4ea32db6e01a81190
  52. - File size: 382,408 bytes
  53. - File location: C:\Users\[username]\AppData\Local\Temp\htpd.dat
  54. - Any Run sandbox: https://app.any.run/tasks/db7caf00-d70b-4c45-8e1c-833c4a3b8989
  55. - CAPE sandbox: https://cape.contextis.com/analysis/28634/
  56. - Reverse.it analysis: https://www.reverse.it/sample/79a56ca8a7fdeed1f09466af66c24ddef5ef97ac026297f4ea32db6e01a81190
  57.  
  58. POST-INFECTION TRAFFIC:
  59.  
  60. - 37.252.5[.]139 port 443 - vesecase[.]com - HTTPS/SSL/TLS traffic (Let's Encrypt certificate)
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top