malware_traffic

2020-07-22 (Wed) - Password-protected XLS files push ZLoader

Jul 22nd, 2020
6,604
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-07-22 - RESUME-THEMED PASSWORD-PROTECTED XLS FILE WITH MACROS PUSHES ZLOADER
  2.  
  3. REFERENCE:
  4.  
  5. - https://twitter.com/malware_traffic/status/1285984351583338502
  6.  
  7. NOTES:
  8.  
  9. - The two malware files below have been submitted to bazaar.abuse.ch
  10. - I also submitted a zip archive package of the two below files to any.run at: https://app.any.run/tasks/93b9c0ab-2493-4201-90a5-eabc8f621550#
  11.  
  12. MALWARE FILES:
  13.  
  14. - SHA256 hash: f80b4a3bdc4b3985a752d80ef444e46307bb3744d19bd2a00a992908e3fa9e21
  15. - File size: 424,448 bytes
  16. - File name: myResume.xls
  17. - File description: Password-protected XLS spreadsheet with macros for ZLoader
  18. - File password: 1234
  19.  
  20. - SHA256 hash: de7da2ce5f2d7e5415bc3256cc5b7f97878ae9436497660b9add78829a8650cf
  21. - File size: 404,480 bytes
  22. - File location: hxxp://205.185.125[.]104/files/jul22.dll
  23. - File location: C:\mVVIuWs\FTBSEIh\cYNhXOc.dll
  24. - File location: C:\Users\[username]\AppData\Roaming\Nueskimyug.dll
  25. - File description: ZLoader DLL
  26. - Run method: rundll32.exe [file name],DllRegisterServer
  27.  
  28. TRAFFIC GENERATED BY XLS MACRO TO RETRIEVE ZLOADER DLL:
  29.  
  30. - 205.185.125[.]104 port 80 - 205.185.125[.]104 - GET /MwRrN5
  31. - 205.185.125[.]104 port 80 - 205.185.125[.]104 - GET /files/july22.dll
  32.  
  33. ZLOADER TRAFFIC AND HTTPS URLS:
  34.  
  35. - 80.249.146[.]77 port 443 (HTTPS) - vlcafxbdjtlvlcduwhga[.]com - GET /web/post.php
  36. - 80.249.146[.]77 port 443 (HTTPS) - softwareserviceupdater3[.]com - GET /web/post.php
  37. - 80.249.146[.]77 port 443 (HTTPS) - softwareserviceupdater4[.]com - GET /web/post.php
RAW Paste Data