SHARE
TWEET

2020-03-17 - FedEx themed malspam pushes Dridex

malware_traffic Mar 18th, 2020 1,199 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-03-17 - FEDEX-THEMED MALSPAM PUSHES DRIDEX
  2.  
  3. DATA FROM 10 EXAMPLES OF THIS MALSPAM:
  4.  
  5. Date: Tue, 17 Mar 2020 11:36:27 -0800
  6. Date: Tue, 17 Mar 2020 11:55:54 -0800
  7. Date: Tue, 17 Mar 2020 11:58:38 -0800
  8. Date: Tue, 17 Mar 2020 12:05:23 -0800
  9. Date: Tue, 17 Mar 2020 12:22:35 -0800
  10. Date: Tue, 17 Mar 2020 12:41:43 -0800
  11. Date: Tue, 17 Mar 2020 12:55:47 -0800
  12. Date: Tue, 17 Mar 2020 14:52:02 -0800
  13. Date: Tue, 17 Mar 2020 14:56:33 -0800
  14. Date: Tue, 17 Mar 2020 15:07:55 -0800
  15.  
  16. Received: from emailgatesecureasia.us ([104.168.234.83])
  17. Received: from emailgatesecurelife.us ([104.168.144.44])
  18. Received: from emailgatesecureworld.us ([104.168.237.184])
  19. Received: from emailgatevip.us ([192.129.212.97])
  20. Received: from esendsstrangedigital.us ([192.129.212.139])
  21. Received: from esendsstrangelifes.us ([104.168.242.41]
  22. Received: from esendsstrangesecureus.us ([104.168.237.60])
  23. Received: from mailgatesecureclub.us ([104.168.246.114])
  24. Received: from mailgatesecuredigital.us ([104.168.214.24])
  25. Received: from mailgatesecurevip.us ([192.129.212.106])
  26.  
  27. From: "FedEx Customer Support" <compare@esendsstrangelifes.us>
  28. From: "Fedex Delivery" <collateral@emailgatesecureworld.us>
  29. From: "Fedex Delivery" <greatseal@esendsstrangesecureus.us>
  30. From: "FedEx Manager" <rise@mailgatesecureclub.us>
  31. From: "FedEx Manager" <season@mailgatesecurevip.us>
  32. From: "FedEx Shipment" <liquid@esendsstrangedigital.us>
  33. From: "Fedex" <arrive@emailgatesecureasia.us>
  34. From: "FedEX" <lost@mailgatesecuredigital.us>
  35. From: "FEDEX" <ship@emailgatesecurelife.us>
  36. From: "FEDEX" <string@emailgatevip.us>
  37.  
  38. Subject: Fedex Customer Support N-479555002395
  39. Subject: FedEX On Demand Delivery 0168650250188
  40. Subject: FedEX On Demand Delivery 425397128548920
  41. Subject: FedEX On Demand Delivery 7269787401431
  42. Subject: FedEx Shipment 166773444545389: Your package has been delivered
  43. Subject: FedEx Shipment 595541678285 Delivered
  44. Subject: FEDEX Shipment Notification : 2444804548527
  45. Subject: FEDEX Shipment Notification : 37928993171369
  46. Subject: FEDEX Shipment Notification : 966473359238012
  47. Subject: Your package has been delivered 8258843165161
  48.  
  49. LINKS FROM THE EMAILS:
  50.  
  51. hxxp://bhrconsulting[.]fr/app.php
  52. hxxp://blog.tranelite[.]com/app.php
  53. hxxp://cantabile[.]hr/app.php
  54. hxxp://testing.technocrack[.]com[.]au/app.php
  55. hxxp://thompsonproducoes[.]com[.]br/app.php
  56. hxxps://akademia-wiedzy.slask[.]pl/app.php
  57. hxxps://lancer4u[.]com/app.php
  58. hxxps://newsetal[.]com/app.php
  59. hxxps://sualehwebsites[.]tk/app.php
  60. hxxps://vidiodunyasi.000webhostapp[.]com/app.php
  61.  
  62. THE ABOVE LINKS REDIRECTED TO THE FOLLOWING URLS THAT RETURNED ZIP ARCHIVES:
  63.  
  64. hxxp://agromsite.nichost[.]ru/ydmdlu/out.php?ipBE=[base64 string for victim's public IP address]&uaBE=[base64 string for victim's user-agent]=&fN=Ti44NzQ4NDA3NTYxNTYuemlw&bs=MA==&st=MA==&bse=MA==&hst=aHR0cDovLzE4NS4yMTIuMTMxLjY2&pth=L2RyZWR3b3JkLw==&ofc=aHR0cHM6Ly93d3cuaXBvc3RwYXJjZWxzLmNvbS9pbnRlcm5hdGlvbmFsL3NlbmQtcGFyY2VsLXRvLXVzYQ==&swt=ZW5hYmxl&whl=MTg1LjEzMy40Mi4xNjE=
  65.  
  66. hxxp://dizajnovecentrumpodlah[.]sk/wp-includes/js/tinymce/skins/lightgray/img/out.php?ipBE=[base64 string for victim's public IP address]&uaBE=[base64 string for victim's user-agent]&fN=TnVtfjUxOTE5NzQyNjM5LnppcA==&bs=MA==&st=MA==&bse=MA==&hst=aHR0cDovLzE4NS4yMTIuMTMxLjY2&pth=L2RyZWR3b3JkLw==&ofc=aHR0cHM6Ly93d3cuaXBvc3RwYXJjZWxzLmNvbS9pbnRlcm5hdGlvbmFsL3NlbmQtcGFyY2VsLXRvLXVzYQ==&swt=ZW5hYmxl&whl=MTg1LjEzMy40Mi4xNjE=
  67.  
  68. hxxps:/ulending[.]co/out.php?ipBE=[base64 string for victim's public IP address]&uaBE=[base64 string for victim's user-agent]&fN=RkVEfjgwMjE0NTgzMTc2OS56aXA=&bs=MA==&st=MA==&bse=MA==&hst=aHR0cDovLzE4NS4yMTIuMTMxLjY2&pth=L2RyZWR3b3JkLw==&ofc=aHR0cHM6Ly93d3cuaXBvc3RwYXJjZWxzLmNvbS9pbnRlcm5hdGlvbmFsL3NlbmQtcGFyY2VsLXRvLXVzYQ==&swt=ZW5hYmxl&whl=MTg1LjEzMy40Mi4xNjE=
  69.  
  70. SHA256 HASHES FOR SOME DOWNLOADED ZIP ARCHIVES:
  71.  
  72. 79bb56b8a96afc946a50f39eff8c2e581cff32393b8378bfa9c0399c670a1f14 - FED_802145831769.zip
  73. 2c91288ee69e4ed78bff9cde5f8c8c4859ba1b2499731675ddc07050f05a4313 - N.874840756156.zip
  74. c6772a34fc3dc0ad81d92f8565c449d2abe3c504fabb2745572555a811720761 - N_96319404848.zip
  75. 0ef507b103d1910bd66f4d0086ad89af1269e3946ed834a5f79a097cfc155d17 - Num_51919742639.zip
  76. c0ffefd9172e047a2c8e86f9045cb9c658f4c9fe7e4321e6c63c2e3c5c96ed16 - Parc_131135223503.zip
  77. NOTE: These samples can be found at:
  78. - https://app.any.run/tasks/8f5e3293-5b86-43c4-8192-75da6c300a1a
  79. - https://app.any.run/tasks/f1d2ba31-2a36-47c7-8ce7-e9cb12787ed7
  80. - https://app.any.run/tasks/272ba991-6330-441d-93ce-478f12b1d050
  81. - https://app.any.run/tasks/66a62676-9cbc-4ca3-ab9d-2e73e35ede6e
  82. - https://app.any.run/tasks/10ec131d-860f-47ac-a84d-d7839ea894f7
  83.  
  84. SHA256 HASHES FOR EXTRACTED VBS FILES FROM THE ABOVE ZIP ARCHIVES:
  85.  
  86. bf459071859563ee9cb850196e7cfb9b6ce4d440ead1e7d558d7e56601202e03 - FED~802145831769.vbs
  87. ec60c3ec35e0d2ad9fee3df4d733c6fb746e30a32b5b9bafe02db9c2e5a3d7a5 - N.874840756156.vbs
  88. 8393f630e90c342b824929642db61360dc1ca369352d3d63279f01462abb1ca0 - Num~51919742639.vbs
  89. eec8afb88f566ed463a3ea62defa891448a06a3dea74ced0caa5c6da226d956a - N~96319404848.vbs
  90. feca372ab14eb4b546b4ef5762ced01cadf736f5494b53f078bb7a1fa6f39a02 - Parc~131135223503.vbs
  91.  
  92. SHA256 HASH AND NAMES OF THE INTITIAL DLL FOR DRIDEX DROPPED IN THE C:\PROGRAMDATA\ DIRECTORY:
  93.  
  94. 11cb750080543d44a93a394261212db4f0fa234664c06918cc999238aa454870 - CmrdeuHKg.dll
  95. 11cb750080543d44a93a394261212db4f0fa234664c06918cc999238aa454870 - FUQVrFfd.dll
  96. 11cb750080543d44a93a394261212db4f0fa234664c06918cc999238aa454870 - HbScmiVgop.dll
  97. 11cb750080543d44a93a394261212db4f0fa234664c06918cc999238aa454870 - SqOKKm.dll
  98. 11cb750080543d44a93a394261212db4f0fa234664c06918cc999238aa454870 - pvrcyqbKhqE.dll
  99. NOTE: A sample of this DLL can be found at:
  100. - https://app.any.run/tasks/ea43c9c3-a403-4b91-b304-b97fc3cc2dfc
  101.  
  102. EXAMPLE OF HOW THE VBS FILE RUNS THE INITIAL DRIDEX DLL:
  103.  
  104. reGsVr32 -s C:\ProgramData\pvrcyqbKhqE.dll
  105.  
  106. EXAMPLES OF FOLLOW-UP DLL FILES FOR DRIDEX:
  107.  
  108. c38265e6eeda8fb97869fbe2264c0ca4ed44b900863ef55386b2acf48dd841f7 - VERSION.dll
  109. 1989cb5b0b6b04eca3049e0d1476d30cee43c7f5d0e1a9f70b50f934021407e3 - VERSION.dll
  110. aa3ca9a7ec0ab6ef085b23c349ee717d94a6d7a57d06677030de8e8b6e40838c - dwmapi.dll
  111. NOTE: These samples can be found at:
  112. - https://app.any.run/tasks/9d6b6217-e4ee-423f-8279-37360c8b7203
  113. - https://app.any.run/tasks/c3b22438-1872-4760-953a-36ec94e38c6f
  114. - https://app.any.run/tasks/bae7ae48-5da4-4d24-adf1-0fd7b510cfbb
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top