Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2020-07-22 - RESUME-THEMED PASSWORD-PROTECTED XLS FILE WITH MACROS PUSHES ZLOADER
- REFERENCE:
- - https://twitter.com/malware_traffic/status/1285984351583338502
- NOTES:
- - The two malware files below have been submitted to bazaar.abuse.ch
- - I also submitted a zip archive package of the two below files to any.run at: https://app.any.run/tasks/93b9c0ab-2493-4201-90a5-eabc8f621550#
- MALWARE FILES:
- - SHA256 hash: f80b4a3bdc4b3985a752d80ef444e46307bb3744d19bd2a00a992908e3fa9e21
- - File size: 424,448 bytes
- - File name: myResume.xls
- - File description: Password-protected XLS spreadsheet with macros for ZLoader
- - File password: 1234
- - SHA256 hash: de7da2ce5f2d7e5415bc3256cc5b7f97878ae9436497660b9add78829a8650cf
- - File size: 404,480 bytes
- - File location: hxxp://205.185.125[.]104/files/jul22.dll
- - File location: C:\mVVIuWs\FTBSEIh\cYNhXOc.dll
- - File location: C:\Users\[username]\AppData\Roaming\Nueskimyug.dll
- - File description: ZLoader DLL
- - Run method: rundll32.exe [file name],DllRegisterServer
- TRAFFIC GENERATED BY XLS MACRO TO RETRIEVE ZLOADER DLL:
- - 205.185.125[.]104 port 80 - 205.185.125[.]104 - GET /MwRrN5
- - 205.185.125[.]104 port 80 - 205.185.125[.]104 - GET /files/july22.dll
- ZLOADER TRAFFIC AND HTTPS URLS:
- - 80.249.146[.]77 port 443 (HTTPS) - vlcafxbdjtlvlcduwhga[.]com - GET /web/post.php
- - 80.249.146[.]77 port 443 (HTTPS) - softwareserviceupdater3[.]com - GET /web/post.php
- - 80.249.146[.]77 port 443 (HTTPS) - softwareserviceupdater4[.]com - GET /web/post.php
Add Comment
Please, Sign In to add comment