malware_traffic

2020-03-17 - FedEx themed malspam pushes Dridex

Mar 18th, 2020
1,894
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-03-17 - FEDEX-THEMED MALSPAM PUSHES DRIDEX
  2.  
  3. DATA FROM 10 EXAMPLES OF THIS MALSPAM:
  4.  
  5. Date: Tue, 17 Mar 2020 11:36:27 -0800
  6. Date: Tue, 17 Mar 2020 11:55:54 -0800
  7. Date: Tue, 17 Mar 2020 11:58:38 -0800
  8. Date: Tue, 17 Mar 2020 12:05:23 -0800
  9. Date: Tue, 17 Mar 2020 12:22:35 -0800
  10. Date: Tue, 17 Mar 2020 12:41:43 -0800
  11. Date: Tue, 17 Mar 2020 12:55:47 -0800
  12. Date: Tue, 17 Mar 2020 14:52:02 -0800
  13. Date: Tue, 17 Mar 2020 14:56:33 -0800
  14. Date: Tue, 17 Mar 2020 15:07:55 -0800
  15.  
  16. Received: from emailgatesecureasia.us ([104.168.234.83])
  17. Received: from emailgatesecurelife.us ([104.168.144.44])
  18. Received: from emailgatesecureworld.us ([104.168.237.184])
  19. Received: from emailgatevip.us ([192.129.212.97])
  20. Received: from esendsstrangedigital.us ([192.129.212.139])
  21. Received: from esendsstrangelifes.us ([104.168.242.41]
  22. Received: from esendsstrangesecureus.us ([104.168.237.60])
  23. Received: from mailgatesecureclub.us ([104.168.246.114])
  24. Received: from mailgatesecuredigital.us ([104.168.214.24])
  25. Received: from mailgatesecurevip.us ([192.129.212.106])
  26.  
  27. From: "FedEx Customer Support" <compare@esendsstrangelifes.us>
  28. From: "Fedex Delivery" <collateral@emailgatesecureworld.us>
  29. From: "Fedex Delivery" <greatseal@esendsstrangesecureus.us>
  30. From: "FedEx Manager" <rise@mailgatesecureclub.us>
  31. From: "FedEx Manager" <season@mailgatesecurevip.us>
  32. From: "FedEx Shipment" <liquid@esendsstrangedigital.us>
  33. From: "Fedex" <arrive@emailgatesecureasia.us>
  34. From: "FedEX" <lost@mailgatesecuredigital.us>
  35. From: "FEDEX" <ship@emailgatesecurelife.us>
  36. From: "FEDEX" <string@emailgatevip.us>
  37.  
  38. Subject: Fedex Customer Support N-479555002395
  39. Subject: FedEX On Demand Delivery 0168650250188
  40. Subject: FedEX On Demand Delivery 425397128548920
  41. Subject: FedEX On Demand Delivery 7269787401431
  42. Subject: FedEx Shipment 166773444545389: Your package has been delivered
  43. Subject: FedEx Shipment 595541678285 Delivered
  44. Subject: FEDEX Shipment Notification : 2444804548527
  45. Subject: FEDEX Shipment Notification : 37928993171369
  46. Subject: FEDEX Shipment Notification : 966473359238012
  47. Subject: Your package has been delivered 8258843165161
  48.  
  49. LINKS FROM THE EMAILS:
  50.  
  51. hxxp://bhrconsulting[.]fr/app.php
  52. hxxp://blog.tranelite[.]com/app.php
  53. hxxp://cantabile[.]hr/app.php
  54. hxxp://testing.technocrack[.]com[.]au/app.php
  55. hxxp://thompsonproducoes[.]com[.]br/app.php
  56. hxxps://akademia-wiedzy.slask[.]pl/app.php
  57. hxxps://lancer4u[.]com/app.php
  58. hxxps://newsetal[.]com/app.php
  59. hxxps://sualehwebsites[.]tk/app.php
  60. hxxps://vidiodunyasi.000webhostapp[.]com/app.php
  61.  
  62. THE ABOVE LINKS REDIRECTED TO THE FOLLOWING URLS THAT RETURNED ZIP ARCHIVES:
  63.  
  64. hxxp://agromsite.nichost[.]ru/ydmdlu/out.php?ipBE=[base64 string for victim's public IP address]&uaBE=[base64 string for victim's user-agent]=&fN=Ti44NzQ4NDA3NTYxNTYuemlw&bs=MA==&st=MA==&bse=MA==&hst=aHR0cDovLzE4NS4yMTIuMTMxLjY2&pth=L2RyZWR3b3JkLw==&ofc=aHR0cHM6Ly93d3cuaXBvc3RwYXJjZWxzLmNvbS9pbnRlcm5hdGlvbmFsL3NlbmQtcGFyY2VsLXRvLXVzYQ==&swt=ZW5hYmxl&whl=MTg1LjEzMy40Mi4xNjE=
  65.  
  66. hxxp://dizajnovecentrumpodlah[.]sk/wp-includes/js/tinymce/skins/lightgray/img/out.php?ipBE=[base64 string for victim's public IP address]&uaBE=[base64 string for victim's user-agent]&fN=TnVtfjUxOTE5NzQyNjM5LnppcA==&bs=MA==&st=MA==&bse=MA==&hst=aHR0cDovLzE4NS4yMTIuMTMxLjY2&pth=L2RyZWR3b3JkLw==&ofc=aHR0cHM6Ly93d3cuaXBvc3RwYXJjZWxzLmNvbS9pbnRlcm5hdGlvbmFsL3NlbmQtcGFyY2VsLXRvLXVzYQ==&swt=ZW5hYmxl&whl=MTg1LjEzMy40Mi4xNjE=
  67.  
  68. hxxps:/ulending[.]co/out.php?ipBE=[base64 string for victim's public IP address]&uaBE=[base64 string for victim's user-agent]&fN=RkVEfjgwMjE0NTgzMTc2OS56aXA=&bs=MA==&st=MA==&bse=MA==&hst=aHR0cDovLzE4NS4yMTIuMTMxLjY2&pth=L2RyZWR3b3JkLw==&ofc=aHR0cHM6Ly93d3cuaXBvc3RwYXJjZWxzLmNvbS9pbnRlcm5hdGlvbmFsL3NlbmQtcGFyY2VsLXRvLXVzYQ==&swt=ZW5hYmxl&whl=MTg1LjEzMy40Mi4xNjE=
  69.  
  70. SHA256 HASHES FOR SOME DOWNLOADED ZIP ARCHIVES:
  71.  
  72. 79bb56b8a96afc946a50f39eff8c2e581cff32393b8378bfa9c0399c670a1f14 - FED_802145831769.zip
  73. 2c91288ee69e4ed78bff9cde5f8c8c4859ba1b2499731675ddc07050f05a4313 - N.874840756156.zip
  74. c6772a34fc3dc0ad81d92f8565c449d2abe3c504fabb2745572555a811720761 - N_96319404848.zip
  75. 0ef507b103d1910bd66f4d0086ad89af1269e3946ed834a5f79a097cfc155d17 - Num_51919742639.zip
  76. c0ffefd9172e047a2c8e86f9045cb9c658f4c9fe7e4321e6c63c2e3c5c96ed16 - Parc_131135223503.zip
  77. NOTE: These samples can be found at:
  78. - https://app.any.run/tasks/8f5e3293-5b86-43c4-8192-75da6c300a1a
  79. - https://app.any.run/tasks/f1d2ba31-2a36-47c7-8ce7-e9cb12787ed7
  80. - https://app.any.run/tasks/272ba991-6330-441d-93ce-478f12b1d050
  81. - https://app.any.run/tasks/66a62676-9cbc-4ca3-ab9d-2e73e35ede6e
  82. - https://app.any.run/tasks/10ec131d-860f-47ac-a84d-d7839ea894f7
  83.  
  84. SHA256 HASHES FOR EXTRACTED VBS FILES FROM THE ABOVE ZIP ARCHIVES:
  85.  
  86. bf459071859563ee9cb850196e7cfb9b6ce4d440ead1e7d558d7e56601202e03 - FED~802145831769.vbs
  87. ec60c3ec35e0d2ad9fee3df4d733c6fb746e30a32b5b9bafe02db9c2e5a3d7a5 - N.874840756156.vbs
  88. 8393f630e90c342b824929642db61360dc1ca369352d3d63279f01462abb1ca0 - Num~51919742639.vbs
  89. eec8afb88f566ed463a3ea62defa891448a06a3dea74ced0caa5c6da226d956a - N~96319404848.vbs
  90. feca372ab14eb4b546b4ef5762ced01cadf736f5494b53f078bb7a1fa6f39a02 - Parc~131135223503.vbs
  91.  
  92. SHA256 HASH AND NAMES OF THE INTITIAL DLL FOR DRIDEX DROPPED IN THE C:\PROGRAMDATA\ DIRECTORY:
  93.  
  94. 11cb750080543d44a93a394261212db4f0fa234664c06918cc999238aa454870 - CmrdeuHKg.dll
  95. 11cb750080543d44a93a394261212db4f0fa234664c06918cc999238aa454870 - FUQVrFfd.dll
  96. 11cb750080543d44a93a394261212db4f0fa234664c06918cc999238aa454870 - HbScmiVgop.dll
  97. 11cb750080543d44a93a394261212db4f0fa234664c06918cc999238aa454870 - SqOKKm.dll
  98. 11cb750080543d44a93a394261212db4f0fa234664c06918cc999238aa454870 - pvrcyqbKhqE.dll
  99. NOTE: A sample of this DLL can be found at:
  100. - https://app.any.run/tasks/ea43c9c3-a403-4b91-b304-b97fc3cc2dfc
  101.  
  102. EXAMPLE OF HOW THE VBS FILE RUNS THE INITIAL DRIDEX DLL:
  103.  
  104. reGsVr32 -s C:\ProgramData\pvrcyqbKhqE.dll
  105.  
  106. EXAMPLES OF FOLLOW-UP DLL FILES FOR DRIDEX:
  107.  
  108. c38265e6eeda8fb97869fbe2264c0ca4ed44b900863ef55386b2acf48dd841f7 - VERSION.dll
  109. 1989cb5b0b6b04eca3049e0d1476d30cee43c7f5d0e1a9f70b50f934021407e3 - VERSION.dll
  110. aa3ca9a7ec0ab6ef085b23c349ee717d94a6d7a57d06677030de8e8b6e40838c - dwmapi.dll
  111. NOTE: These samples can be found at:
  112. - https://app.any.run/tasks/9d6b6217-e4ee-423f-8279-37360c8b7203
  113. - https://app.any.run/tasks/c3b22438-1872-4760-953a-36ec94e38c6f
  114. - https://app.any.run/tasks/bae7ae48-5da4-4d24-adf1-0fd7b510cfbb
RAW Paste Data