05/04/2020: ZLoader Campaign IOCs

1. https://twitter.com/DynamicAnalysis/status/1257369145177526272?s=20
2.  
3. ZLoader malspam (with .xlsm attachments) coming from aol addresses on 05/04/20. Downloader URLs included:
4.  
5. http://theislandmen.com/wp-smart.php
6. http://shetkarimarket.com/wp-snapshots/tmp/wp-smart.php
7.  
8. Both redirect to ZLoader DLL at:
9. http://visadvise.com/cgi-bin/s2dhfwe.php
10.  
11. Active C2s from the sample on this date:
12. https://rswtgmhf.pw/wp-config.php (resolved to 47.241.108.179 on this date)
13. https://fwgdhdln.icu/wp-config.php (resolved to 8.208.3.130 on this date)
14. https://pwnuuhiikmjmkrjeyuxr.com/post.php (active DGA domain resolved to 5.53.124.144 on this date)
15.  
16. Full list of DGAs:
17. achbisjjkihqsyoaihmg.com
18. tdsbxwbarchmwavsjimo.com
19. pgalqbkxelhtvualpoha.com
20. tqgrdrcnffewtbqenjsa.com
21. kolaitxpngdoieylltnp.com
22. piydguvyuwqjfgfapdks.com
23. blsdaibtsfuhikwvtyxs.com
24. wvtpfmkxblvpjspdkutn.com
25. wcadieylottjkrliqjur.com
26. jeicekggiydgctuknhmt.com
27. womuqitjkvuabdhyykmj.com
28. tasbrhccifajxyrbmcga.com
29. rfhvoiwkmmpqjpvdgxhr.com
30. fsfcogxscgowecjsyvqh.com
31. sjiwryqclrcadiwcenjv.com
32. atxpymyuefpnrgbymvro.com
33. lqbhfxmxbbisonshbefj.com
34. xuuotbqgjalpledwottm.com
35. nodfhvofnloprtfwlxyy.com
36. kwokrlixscyoaiqmhriv.com
37. qkdjbvcsthyrtiejaxsp.com
38. rvaneeovpmfpcjyfcbek.com
39. lkmpcagrrgxhofmsvlhw.com
40. pwnuuhiikmjmkrjeyuxr.com
41. bsahvhkkhgkbxluwasah.com
42. vsxnodiaswmycekudbmn.com
43. bkbubsrivqhdqktcehln.com
44. mrpmtpirkfljvsxxqoju.com
45. cqibdhgyppijnreplpah.com
46. aqehtklvwsanpefmkcbk.com
47. uecphxxqlgfkirhunyut.com
48. qohlvtpcoxxfdrwdysvi.com
49.  
50. .xlsm sample:
51. https://app.any.run/tasks/19abc6bd-1595-42e8-8359-2ec5d93d245e/
52.  
53. ZLoader sample:
54. https://www.virustotal.com/gui/file/53283e084e43c993b12db2affe159525c6e203657e4f69d989499308ab302f52/detection