malware_traffic

2020-05-12 - Word docs with macros for Valak

May 13th, 2020
1,561
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-05-12 (TUESDAY) - WORD DOCS WITH MACROS FOR VALAK
  2.  
  3. NOTE:
  4.  
  5. - This appears to be a continuation of the malspam-based distribution campaign that had previously used password-protected zip attachments with passwords like 111, 222, 333, 123, or 777 (and so on, historically almost always a three-digit password).
  6.  
  7. - This malspam-based distribution campaign used to primarily push Ursnif, but sometime during March 2020, it switched to primarily pushing Valak malware (usually with IcedID when the infection runs long enough).
  8.  
  9. - This campaign uses stolen email chains to make the malspam look like a reply to a legitimate email.
  10.  
  11. - Sometime in April 2020, the naming patterns of the Word docs changed.
  12.  
  13. - Sometime in May 2020, the Word document template changed to what it's using today.
  14.  
  15. EXAMPLES OF WORD DOCS WITH MACROS FOR VALAK:
  16.  
  17. - 02eaf14510aa8eb2f6209f2d289b3319449cc3b528b844b1518ddcc9f2eed3df Burnkirk_BCA.doc
  18. - 041f754a01a8b6ca427ba3b938d007ab66cfff53ee86eb98c14776f8e59ac0c0 request.doc
  19. - 1834387518f5c31ca599e2c6916fcdd2c644627091630f44d32dacfd79dfa6e3 Patron_Connection.doc
  20. - 2efc86679658d80d56f5838eaacb73a815cc4b1fc07c557c2d81ffdfc161f7cf BelmontDoor-Window.doc
  21. - 39a5d8650fbfa6f1325f6ccd4474dcfbdfa4ba30f734d2d26d6b0e8118775975 BoldenLimited.doc
  22. - 3c4cea6ec1704052010a5866bda5ce7c815aeb4d09c001e2b94ffaca28e8908c NISSAN.doc
  23. - 405870afa65b9760ecb448fe8cc5f2776bb96bf3023885b40f26f4e0fe54ab7b INFORMATION.doc
  24. - 41a570f40da909462fb1a4877102763444ef5d2fe49a429a275f6e0e9868984b Aquatrols.doc
  25. - 4de0e9fe2e68fde7284f91a646992fe7de6b44d3f6c07e0388d160d616e3617e alandoll.cl_1633.doc
  26. - 4dedfc6b384bc0d126fa61f0fea63ec504d4de989852c8b7508f937dae6a3edc Aquatrols.doc
  27. - 52df70bb3fd152a47fb09114d0273a938d3e2d58cec67a2c2a4b95f1ff777ed3 Paradise_Lanes.doc
  28. - 5c7cc57ff1b844f751dc6d990e40a22567a71bcd78cc7539e890d6e959372ea2 Cap_Advs.doc
  29. - 5d2e46b41be86930aa5848aa8a19a3862fc0001612f39e874fa4b2b75625cef4 Cape_Coral_Shores.doc
  30. - 5fb3c0d533689c0627d941c8da7d31c9a69605aaf0f4e78690fd584638e00dc1 request.doc
  31. - 677d3d40bcf8a5f834cc952e168e0323765da26bed9ad4eca2184671fea08c9b BackboneCapitalLimited.doc
  32. - 696fb802d1f5352f7bdb929387eb5e3c6edfbe94e7719d0e58b7c7aa3bb1bb0d Canamsigns.doc
  33. - 6b92a8b12083bb9820c6897e71083893ad8d7f7ab6f81734cebc16519a93d831 beckettoil.doc
  34. - 88c47b8b3707622a84117ee0a18da8eae3ed947e4bbdc4012784f006709e9bb5 ACTION.doc
  35. - 990bf0a841a4a5be0eafb03f2d02af94cedfe04b24341b5b192c6b8ecd91f9aa BEE_IMAGINE.doc
  36. - a449578de43b8e86d0ab00ca517ccd46a92b8fa995cf3af821db59195b7c8b96 Castle_Party_Rental.doc
  37. - c4724bde0bfc54f3d4b95346454cc0c79ef3469999ce82f14e3a16b0b83a8d14 americanfurn.doc
  38. - cab6fd0613cb9f73b526aa6f088edba89967c7925062b0221333c1a4f9391de4 Aquatrols.doc
  39. - cd038242e4fac0e3ec33f69481a967d3933e15f6bd714c8e73a844dfff87281a BelmontDoor-Window.doc
  40. - d717492d021f6e11e27b90cea4c4d7566b216c33f915b6f510e69592307e89a0 Aquatrols.doc
  41. - d94619cb3f3f3292860d07fc7a1ac0ab0185d149fb66f66e092c74e27fe40bed agetic-adm.gouv.ml_2412.doc
  42. - fac5923f35497ac24df39b5f1d758b5d0d66bd43bd50a84ab0c29961e0e6da6c BeaconHillGlass.doc
  43.  
  44. EXAMPLES OF URLS TO RETRIEVE THE INITIAL VALAK DLL:
  45.  
  46. - hxxp://acessogeek[.]com/wp-content/plugins/loginpage/_oRbpU-ASwltTUIqV.php?x=[long string]
  47. - hxxp://agetic-adm[.]gouv[.]ml/wp-content/plugins/loginpage/_1-rJGTYynaCAazdI.php?x=[long string]
  48. - hxxp://allianceship[.]net/wp-content/plugins/loginpage/_3ZyKva_O9zPO1K_k.php?x=[long string]
  49. - hxxp://alwatadpharma[.]com/wp-content/plugins/loginpage/_Ij5-IpC39Tz00pyP.php?x=[long string]
  50. - hxxp://anhvienakay[.]vn/wp-content/plugins/loginpage/_M2l-Vdd25YBfJqqz.php?x=[long string]
  51. - hxxp://betarg[.]com/cms/cashback/pinkash/wp-content/plugins/loginpage/_lkllnshOhk_-UATf.php?x=[long string]
  52. - hxxp://bookpeopleunite[.]org/wp-content/plugins/loginpage/_aM2x5z47t3azy6a3.php?x=[long string]
  53. - hxxp://boxmusic[.]com[.]br/wp-content/plugins/loginpage/_GCS165KogRJ64ry9.php?x=[long string]
  54. - hxxp://bw4limo[.]us/wp-content/plugins/loginpage/_t5Md-RjT8WPxLTq9.php?x=[long string]
  55. - hxxp://choptaswisscamp[.]in/wp-content/plugins/loginpage/_1mMBlKjn1fRxLRad.php?x=[long string]
  56. - hxxp://cinnamonmagazine[.]com/wp-content/plugins/loginpage/_tb4rztWM5Q1RltWY.php?x=[long string]
  57. - hxxp://civtecafrica[.]com/preview/wp-content/plugins/loginpage/_kR-yvovXkv4-_5jo.php?x=[long string]
  58. - hxxp://convergenciaglobal[.]com/wp-content/plugins/loginpage/_02sgNABWfngVdKqP.php?x=[long string]
  59. - hxxp://cricktracksafaris[.]com/wp-content/plugins/loginpage/_b7I1qhB9tyqeElWQ.php?x=[long string]
  60. - hxxp://dcthatta[.]gov[.]pk/wp-content/plugins/loginpage/_KykNAJZ8wb1bLBCX.php?x=[long string]
  61. - hxxp://derodeantraciet[.]be/wp-content/plugins/loginpage/_uHFmwjl8jUAktXgf.php?x=[long string]
  62. - hxxp://edisun[.]vn/wp-content/plugins/loginpage/_X9jFfSWdTucTqusp.php?x=[long string]
  63. - hxxp://energyfutureconf[.]com/wp-content/plugins/loginpage/_4C_qKNqLA5mPewcd.php?x=[long string]
  64. - hxxp://enjoy-tv[.]com/wp-content/plugins/loginpage/_SfrnDXUQo7gIZmAK.php?x=[long string]
  65. - hxxp://www[.]rentbishop[.]com/wp-content/plugins/loginpage/_IzJNqwPNr6dsEayu.php?x=[long string]
  66. - hxxp://www[.]robertsonoptical[.]com/wp/wp-content/plugins/loginpage/_ubMotFTxvIHuev8u.php?x=[long string]
  67. - hxxp://www[.]tjgdjt[.]net[.]cn/wp-content/plugins/loginpage/_uXrklAu-Opx1_zKn.php?x=[long string]
  68.  
  69. EXAMPLE OF INITIAL VALAK DLL:
  70.  
  71. - SHA256 hash: 9abde3fc03002275f98a9ee72d38b74365c49f8963ba99558a4482ae96f05459
  72. - File location: C:\Users\[username]\AppData\Local\Temp\xc.tmp
  73. - File location: C:\Users\[username]\AppData\Local\Temp\KL.tmp
  74. - File location: C:\Users\[username]\AppData\Local\Temp\cb.tmp
  75. - File location: C:\Users\[username]\AppData\Local\Temp\k0.tmp
  76. - File location: C:\Users\[username]\AppData\Local\Temp\Sc.tmp
  77. - File location: C:\Users\[username]\AppData\Local\Temp\Ng.tmp
  78. - File location: C:\Users\[username]\AppData\Local\Temp\e7.tmp
  79. - File location: C:\Users\[username]\AppData\Local\Temp\lC.tmp
  80. - File location: C:\Users\[username]\AppData\Local\Temp\WF.tmp
RAW Paste Data