Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2020-06-24 (WEDNESDAY): VALAK ACTIVITY - SOFT_SIG: MAD35
- NOTE:
- - As usual from a US location, I got IcedID (Bokbot) as the follow-up malware
- EXAMPLES OF WORD DOCS WITH MACROS FOR VALAK:
- - 7e2ae571fd689bff2673097c92a334e0032f87274fbacb7dc5580ac3da51eb97 adjure,06.24.2020.doc
- - de92bed55173005abc2336c8ac0261ae08f33769f5d9ebb9dd9d24d312e5b32c adjure_06.20.doc
- - 5285083f25a2b285aa08bcbfef6e189b826ed3889bc76f50be38deea0f42e695 bid 06.20.doc
- - 3f25d2c2039a2658d5846f4a2eef0294b91b430e7622fe883e35163b9e166995 charge 06.20.doc
- - c65fd1f06f54ddb8156eb2e7b09c58c14329234b48fa879f4d59631c3f6976e9 commerce -06.20.doc
- - 629ce9a17b978471c1740d0a2931f5043c3e51f52ec5dc351019255f4161d266 commerce _06.20.doc
- - bec6c619dd6514ecbc6b8b66dc833576de3fbbbbd5a99551add6c7acc87174b8 document.06.20.doc
- - cfced51dd1f230397d0d498f15587f93a5409a14b6d332c9398750258c4782e1 document_06.20.doc
- - 7f86bef0240110c979d04e50f8911aaca607ad9a1041b4ecff0a025365f95500 documents.06.24.2020.doc
- - 7f44765f5a4ceea218564770e10b399ae5d96660fea1ffde04dff3b454959fc4 file 06.20.doc
- - 17dd8ba7deac9a0efd89ec7bf3c3ed72c05e35dea2494e92a17d9d6808795320 file 06.24.20.doc
- - 084df2038f17b7baf3f9feec455cb5280dea237a5643d824a060c6f3078c871c file-06.20.doc
- - c84df62a03548cab7532e3e7ad0ad012b869558d833900916986f898b6e1310d instrument indenture-06.24.2020.doc
- - d5bcc6f4dace1429b02acf1c8999a9f68127d5aaab985cb4d555e0d7c0ae80c8 legal paper 06.24.20.doc
- - a7fdf5fe6f3b1c5a3ac529ca19b479e78465f957b06e5de0e0b41c351f1966c8 legislate-06.20.doc
- - ad919a28ec0f166b356b5b4873952a479655dd524cc6895feed5afb25b4a24a2 material,06.24.2020.doc
- - cfaab7a4f5d1c4ea47c6f44cd9e2ebb620a2c9561dbe3e244f7e7a9a5311de00 material.06.20.doc
- - d43312c67cf6faa84efabd89d3c87e6dc4e107ba673cc03a6c3303e18e015eaf particulars 06.24.2020.doc
- - 53da1a9d1ceb735c58571327c79aa67a49bdff71ad766e38677f14fe041b92e8 particulars.06.20.doc
- - 931e10ef0a41c709de57181248e6b727ad20cf5ff57d7b3cc027e7383e90bbdb specifics_06.20.doc
- DOMAINS HOSTING THE INITIAL VALAK DLL:
- - a9nq0z[.]com
- - e7xfxb[.]com
- - ihgd1u[.]com
- - gma7im[.]com
- - gx6995[.]com
- - mbzrrt[.]com
- - w0j3oq[.]com
- URLS FOR THE INTIAL VALAK DLL:
- - GET /unbbmevd/d76.php?l=ftywl1.cab
- - GET /unbbmevd/d76.php?l=ftywl2.cab
- - GET /unbbmevd/d76.php?l=ftywl3.cab
- - GET /unbbmevd/d76.php?l=ftywl4.cab
- - GET /unbbmevd/d76.php?l=ftywl5.cab
- - GET /unbbmevd/d76.php?l=ftywl6.cab
- - GET /unbbmevd/d76.php?l=ftywl7.cab
- - GET /unbbmevd/d76.php?l=ftywl8.cab
- - GET /unbbmevd/d76.php?l=ftywl9.cab
- - GET /unbbmevd/d76.php?l=ftywl10.cab
- - GET /unbbmevd/d76.php?l=ftywl11.cab
- - GET /unbbmevd/d76.php?l=ftywl12.cab
- EXAMPLES OF INITIAL VALAK DLL:
- - 0f0d870fcad3e935d191e4076bfdc3812c278c3bdb6ec2233d71d9cf14a04a17 C:\ProgramData\40060179.dat
- - 59b5aaa1b9d1225610007636ef70dec8f0f1889661d12690d02494718f7df54b C:\ProgramData\51508.jpg
- - e229806eefc3c76ed0a917969928ddce461a4e3934f9cb331f12b4d9c1ad6826 C:\ProgramData\51508.jpg
- - 73872d1c97da41772d51fec33613cc1de32b27b43ec5135d1a1c357de5fb9d77 C:\ProgramData\23196138.dat
- - 1bd323c57344a8b38ac22ceec92707ba3b6a30d29b66fc32e163649ea7de8a0f C:\ProgramData\29757.jpg
- - 59b5aaa1b9d1225610007636ef70dec8f0f1889661d12690d02494718f7df54b C:\ProgramData\33060.jpg
- - 8ce9c42220de87bf0dedab305d7874d286726ac18bae834c80e0d6eba8438df7 C:\ProgramData\35604.jpg
- - 481659d344a246a19eb516b01ea71e074e893f6ab4ba9de11c24fba15a8ec9fc C:\ProgramData\48041329.dat
- - 659812b78542044d9ebb46743ecda037762a71a49f05322d5fa9bd8b3337d0d4 C:\ProgramData\49988373.dat
- - 59b5aaa1b9d1225610007636ef70dec8f0f1889661d12690d02494718f7df54b C:\ProgramData\51508.jpg
- - 59b5aaa1b9d1225610007636ef70dec8f0f1889661d12690d02494718f7df54b C:\ProgramData\56446.jpg
- - be14ed801453c78d6c80992705cfe0e7eb03f808d2b28704ffa2925cdc46fdc9 C:\ProgramData\77994156.dat
- - 8421811ca6b95b3a4f3610184af94f4295a57cc7aaca20062dd42acd76186733 C:\ProgramData\83511024.dat
- RUN METHOD FOR VALAK DLL:
- - regsvr32.exe -s [filename]
- - Can also be done using: rundll32.exe [filename],DllRegisterServer
- INITIAL SCRIPT FILE DROPPED FOR VALAK INFECTION:
- - 88f34842ffadf864ff44e4f3b28fc2a3e4614d0e2e4f836f140d12d3121568c2 C:\Users\Public\mUDSqcHQn.pAnNR
- DECOY DOMAINS FOR VALAK POST-INFECTION TRAFFIC:
- - e87.dspb.akamaidege[.]net
- - insiderppe.cloudapp[.]net
- - pagead46.l.doubleclick[.]net
- MALICIOUS DOMAINS FOR VALAK POST-INFECTION TRAFFIC:
- - thepicklepilot[.]com
- - joonaskallinen[.]com
- - xfitnessproducts[.]com
- - 59xidd-fuel[.]com
- - 19geds-space[.]com
- - 55sfors-cask[.]com
- VALAK EXE HIDDEN VIA ADS AND MADE PERSISTENT THROUGH SCHEDULED TASK:
- - a2e683ed3b00ce43517b0ffa99177b19e18ab4c0a27198082e2197801f22b0ed C:\Users\Public\WSUDIAG.EVTX:80cfabcd
- - a2e683ed3b00ce43517b0ffa99177b19e18ab4c0a27198082e2197801f22b0ed C:\Users\Public\WSUDIAG.EVTX:9c31fd9d
- INITIAL ICEDID EXE FOUND ON VALAK-INFECTED HOST:
- - 9ef0f3b08d66a83ca24735016556964efad5c50023d9638bf94e45d9a29febbf C:\Users\[username]\AppData\Local\Temp\~5394765.exe
- ICEDID PERSISTENT ON INFECTED WINDOWS HOST:
- - 39a9cd9816d520124a30a2d623a105c5cbb8f66c2de21650153a46642801091e C:\Users\[username]\AppData\Local\Xurare3\bodads.exe
- DOMAINS FROM HTTPS TRAFFIC SEEN DURING ICEDID INFECTION:
- - load4th[.]casa
- - sweeteator[.]best
- - plutiasitop[.]top
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement