API tools faq
paste
ExecuteMalware

2021-03-18 Unknown Malware IOCs

ExecuteMalware
Mar 18th, 2021 (edited)
3,793
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.45 KB | None | 0 0
raw download clone embed print report
  1. THREAT IDENTIFICATION: UNKNOWN MALWARE
  2.  
  3. ANALYST NOTES
  4. The emails all had varied subjects - it's likely that the Subjects have been stolen from existing emails.
  5. The bodies of the emails however are original and all mention reviewing information in a document.
  6. There's a link to a download url as well as a password that's unique for each email.
  7. The downloaded file is a .zip file which contains a .js file.
  8. The JavaScript file calls out to download another file (no extension) stored on a file sharing platform.
  9. This one is also a script which is fairly heavily obfuscated - mostly with just base64 encoding.
  10. I extracted the base64 strings and noticed 2 streams with MZ headers.
  11. After extracting these to disk, I discovered that they're both .dll files (32 and 64-bit).
  12. At this point, that's as far as I've gotten.
  13.  
  14. SENDERS OBSERVED
  15. abrar@luxuryspanishvillas.net
  16. admin@luxuryspanishvillas.net
  17. leuvang@luxuryspanishvillas.net
  18. ncrescenzo@luxuryspanishvillas.net
  19. uni@luxuryspanishvillas.net
  20.  
  21. MALDOC DISTRIBUTION URLS
  22. https://downl4file.direct.framedelements.com/direct?SID=c08rkH1440P47W
  23. https://downl4file.direct.framedelements.com/downl?I=WKtc1lBn24OIkfI
  24. https://downlfile.location.jetsetwithana.com/link?LNK=xS3DpDC15S3S
  25. https://downloadfile.location.londonpictours.com/downl?ID=10F7AxIEV4DM0
  26. https://secure4space.link.bossjohnson.com/downl?I=0f5L9K87TM97jc
  27. https://secure4space.link.bossjohnson.com/downl?SID=JkVMUOV39MTV30
  28. https://secure4space.link.bossjohnson.com/link?I=EgmQUf55j1R6
  29.  
  30. MALDOC FILE HASHES
  31. AB_2020-23109_PDF.zip
  32. 0cc55b4e3b697625cccfe3bb94477dba
  33.  
  34. AB-2020_10822_PDF.zip
  35. 2f3a075e19af32ffe2d761695f76014e
  36.  
  37. NN_2020-5711_PDF.zip
  38. b5c95ff41c883950849e9ee9489dfc9b
  39.  
  40. Which contain:
  41.  
  42. AB_2020-23109_PDF.js
  43. 8a00f3d855475a8056630ae60b04a131
  44.  
  45. NN_2020-5711_PDF.js
  46. b153bfbc0a1269b1858b023146bd1a3c
  47.  
  48. AB-2020_10822_PDF.js
  49. b4c59e4dfaf6eef9c8ccd2c79fb4140b
  50.  
  51. SECOND STAGE DOWNLOAD URLS
  52. http://sendfile2.link/get?ID=I1IgFr24Cxg
  53. http://sendfile2.link/get?ID=cRI1qau2D9vH
  54. http://sendfile2.link/get?ID=g1Ua41OL02p
  55.  
  56. SECOND STAGE FILE HASHES
  57. I1IgFr24Cxg
  58. cc17e0a3a15da6a83b06b425ed79d84c
  59.  
  60. EMBEDDED PAYLOAD FILE HASHES
  61. fa9e686b811a1d921623947b8fd56337
  62. 32-bit .dll
  63.  
  64. 1f285e496096168fbed415e6496a172f
  65. 64-bit .dll
  66.  
  67. EMAIL BODY
  68. Good day to you!
  69.  
  70. We need your help. Please review the information in the archive you can get via the link below: Contract 782\7
  71. The password: <unique_string>
  72.  
  73. Provide us with all the related information as soon as you can.
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!