2020-07-22 (Wed) - Password-protected XLS files push ZLoader

1. 2020-07-22 - RESUME-THEMED PASSWORD-PROTECTED XLS FILE WITH MACROS PUSHES ZLOADER
2.  
3. REFERENCE:
4.  
5. - https://twitter.com/malware_traffic/status/1285984351583338502
6.  
7. NOTES:
8.  
9. - The two malware files below have been submitted to bazaar.abuse.ch
10. - I also submitted a zip archive package of the two below files to any.run at: https://app.any.run/tasks/93b9c0ab-2493-4201-90a5-eabc8f621550#
11.  
12. MALWARE FILES:
13.  
14. - SHA256 hash: f80b4a3bdc4b3985a752d80ef444e46307bb3744d19bd2a00a992908e3fa9e21
15. - File size: 424,448 bytes
16. - File name: myResume.xls
17. - File description: Password-protected XLS spreadsheet with macros for ZLoader
18. - File password: 1234
19.  
20. - SHA256 hash: de7da2ce5f2d7e5415bc3256cc5b7f97878ae9436497660b9add78829a8650cf
21. - File size: 404,480 bytes
22. - File location: hxxp://205.185.125[.]104/files/jul22.dll
23. - File location: C:\mVVIuWs\FTBSEIh\cYNhXOc.dll
24. - File location: C:\Users\[username]\AppData\Roaming\Nueskimyug.dll
25. - File description: ZLoader DLL
26. - Run method: rundll32.exe [file name],DllRegisterServer
27.  
28. TRAFFIC GENERATED BY XLS MACRO TO RETRIEVE ZLOADER DLL:
29.  
30. - 205.185.125[.]104 port 80 - 205.185.125[.]104 - GET /MwRrN5
31. - 205.185.125[.]104 port 80 - 205.185.125[.]104 - GET /files/july22.dll
32.  
33. ZLOADER TRAFFIC AND HTTPS URLS:
34.  
35. - 80.249.146[.]77 port 443 (HTTPS) - vlcafxbdjtlvlcduwhga[.]com - GET /web/post.php
36. - 80.249.146[.]77 port 443 (HTTPS) - softwareserviceupdater3[.]com - GET /web/post.php
37. - 80.249.146[.]77 port 443 (HTTPS) - softwareserviceupdater4[.]com - GET /web/post.php