malware_traffic

2020-06-24 (Wednesday): Valak activity - Soft_sig: mad35

Jun 24th, 2020
2,480
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-06-24 (WEDNESDAY): VALAK ACTIVITY - SOFT_SIG: MAD35
  2.  
  3. NOTE:
  4.  
  5. - As usual from a US location, I got IcedID (Bokbot) as the follow-up malware
  6.  
  7. EXAMPLES OF WORD DOCS WITH MACROS FOR VALAK:
  8.  
  9. - 7e2ae571fd689bff2673097c92a334e0032f87274fbacb7dc5580ac3da51eb97 adjure,06.24.2020.doc
  10. - de92bed55173005abc2336c8ac0261ae08f33769f5d9ebb9dd9d24d312e5b32c adjure_06.20.doc
  11. - 5285083f25a2b285aa08bcbfef6e189b826ed3889bc76f50be38deea0f42e695 bid 06.20.doc
  12. - 3f25d2c2039a2658d5846f4a2eef0294b91b430e7622fe883e35163b9e166995 charge 06.20.doc
  13. - c65fd1f06f54ddb8156eb2e7b09c58c14329234b48fa879f4d59631c3f6976e9 commerce -06.20.doc
  14. - 629ce9a17b978471c1740d0a2931f5043c3e51f52ec5dc351019255f4161d266 commerce _06.20.doc
  15. - bec6c619dd6514ecbc6b8b66dc833576de3fbbbbd5a99551add6c7acc87174b8 document.06.20.doc
  16. - cfced51dd1f230397d0d498f15587f93a5409a14b6d332c9398750258c4782e1 document_06.20.doc
  17. - 7f86bef0240110c979d04e50f8911aaca607ad9a1041b4ecff0a025365f95500 documents.06.24.2020.doc
  18. - 7f44765f5a4ceea218564770e10b399ae5d96660fea1ffde04dff3b454959fc4 file 06.20.doc
  19. - 17dd8ba7deac9a0efd89ec7bf3c3ed72c05e35dea2494e92a17d9d6808795320 file 06.24.20.doc
  20. - 084df2038f17b7baf3f9feec455cb5280dea237a5643d824a060c6f3078c871c file-06.20.doc
  21. - c84df62a03548cab7532e3e7ad0ad012b869558d833900916986f898b6e1310d instrument indenture-06.24.2020.doc
  22. - d5bcc6f4dace1429b02acf1c8999a9f68127d5aaab985cb4d555e0d7c0ae80c8 legal paper 06.24.20.doc
  23. - a7fdf5fe6f3b1c5a3ac529ca19b479e78465f957b06e5de0e0b41c351f1966c8 legislate-06.20.doc
  24. - ad919a28ec0f166b356b5b4873952a479655dd524cc6895feed5afb25b4a24a2 material,06.24.2020.doc
  25. - cfaab7a4f5d1c4ea47c6f44cd9e2ebb620a2c9561dbe3e244f7e7a9a5311de00 material.06.20.doc
  26. - d43312c67cf6faa84efabd89d3c87e6dc4e107ba673cc03a6c3303e18e015eaf particulars 06.24.2020.doc
  27. - 53da1a9d1ceb735c58571327c79aa67a49bdff71ad766e38677f14fe041b92e8 particulars.06.20.doc
  28. - 931e10ef0a41c709de57181248e6b727ad20cf5ff57d7b3cc027e7383e90bbdb specifics_06.20.doc
  29.  
  30. DOMAINS HOSTING THE INITIAL VALAK DLL:
  31.  
  32. - a9nq0z[.]com
  33. - e7xfxb[.]com
  34. - ihgd1u[.]com
  35. - gma7im[.]com
  36. - gx6995[.]com
  37. - mbzrrt[.]com
  38. - w0j3oq[.]com
  39.  
  40. URLS FOR THE INTIAL VALAK DLL:
  41.  
  42. - GET /unbbmevd/d76.php?l=ftywl1.cab
  43. - GET /unbbmevd/d76.php?l=ftywl2.cab
  44. - GET /unbbmevd/d76.php?l=ftywl3.cab
  45. - GET /unbbmevd/d76.php?l=ftywl4.cab
  46. - GET /unbbmevd/d76.php?l=ftywl5.cab
  47. - GET /unbbmevd/d76.php?l=ftywl6.cab
  48. - GET /unbbmevd/d76.php?l=ftywl7.cab
  49. - GET /unbbmevd/d76.php?l=ftywl8.cab
  50. - GET /unbbmevd/d76.php?l=ftywl9.cab
  51. - GET /unbbmevd/d76.php?l=ftywl10.cab
  52. - GET /unbbmevd/d76.php?l=ftywl11.cab
  53. - GET /unbbmevd/d76.php?l=ftywl12.cab
  54.  
  55. EXAMPLES OF INITIAL VALAK DLL:
  56.  
  57. - 0f0d870fcad3e935d191e4076bfdc3812c278c3bdb6ec2233d71d9cf14a04a17 C:\ProgramData\40060179.dat
  58. - 59b5aaa1b9d1225610007636ef70dec8f0f1889661d12690d02494718f7df54b C:\ProgramData\51508.jpg
  59. - e229806eefc3c76ed0a917969928ddce461a4e3934f9cb331f12b4d9c1ad6826 C:\ProgramData\51508.jpg
  60. - 73872d1c97da41772d51fec33613cc1de32b27b43ec5135d1a1c357de5fb9d77 C:\ProgramData\23196138.dat
  61. - 1bd323c57344a8b38ac22ceec92707ba3b6a30d29b66fc32e163649ea7de8a0f C:\ProgramData\29757.jpg
  62. - 59b5aaa1b9d1225610007636ef70dec8f0f1889661d12690d02494718f7df54b C:\ProgramData\33060.jpg
  63. - 8ce9c42220de87bf0dedab305d7874d286726ac18bae834c80e0d6eba8438df7 C:\ProgramData\35604.jpg
  64. - 481659d344a246a19eb516b01ea71e074e893f6ab4ba9de11c24fba15a8ec9fc C:\ProgramData\48041329.dat
  65. - 659812b78542044d9ebb46743ecda037762a71a49f05322d5fa9bd8b3337d0d4 C:\ProgramData\49988373.dat
  66. - 59b5aaa1b9d1225610007636ef70dec8f0f1889661d12690d02494718f7df54b C:\ProgramData\51508.jpg
  67. - 59b5aaa1b9d1225610007636ef70dec8f0f1889661d12690d02494718f7df54b C:\ProgramData\56446.jpg
  68. - be14ed801453c78d6c80992705cfe0e7eb03f808d2b28704ffa2925cdc46fdc9 C:\ProgramData\77994156.dat
  69. - 8421811ca6b95b3a4f3610184af94f4295a57cc7aaca20062dd42acd76186733 C:\ProgramData\83511024.dat
  70.  
  71. RUN METHOD FOR VALAK DLL:
  72.  
  73. - regsvr32.exe -s [filename]
  74. - Can also be done using: rundll32.exe [filename],DllRegisterServer
  75.  
  76. INITIAL SCRIPT FILE DROPPED FOR VALAK INFECTION:
  77.  
  78. - 88f34842ffadf864ff44e4f3b28fc2a3e4614d0e2e4f836f140d12d3121568c2 C:\Users\Public\mUDSqcHQn.pAnNR
  79.  
  80. DECOY DOMAINS FOR VALAK POST-INFECTION TRAFFIC:
  81.  
  82. - e87.dspb.akamaidege[.]net
  83. - insiderppe.cloudapp[.]net
  84. - pagead46.l.doubleclick[.]net
  85.  
  86. MALICIOUS DOMAINS FOR VALAK POST-INFECTION TRAFFIC:
  87.  
  88. - thepicklepilot[.]com
  89. - joonaskallinen[.]com
  90. - xfitnessproducts[.]com
  91. - 59xidd-fuel[.]com
  92. - 19geds-space[.]com
  93. - 55sfors-cask[.]com
  94.  
  95. VALAK EXE HIDDEN VIA ADS AND MADE PERSISTENT THROUGH SCHEDULED TASK:
  96.  
  97. - a2e683ed3b00ce43517b0ffa99177b19e18ab4c0a27198082e2197801f22b0ed C:\Users\Public\WSUDIAG.EVTX:80cfabcd
  98. - a2e683ed3b00ce43517b0ffa99177b19e18ab4c0a27198082e2197801f22b0ed C:\Users\Public\WSUDIAG.EVTX:9c31fd9d
  99.  
  100. INITIAL ICEDID EXE FOUND ON VALAK-INFECTED HOST:
  101.  
  102. - 9ef0f3b08d66a83ca24735016556964efad5c50023d9638bf94e45d9a29febbf C:\Users\[username]\AppData\Local\Temp\~5394765.exe
  103.  
  104. ICEDID PERSISTENT ON INFECTED WINDOWS HOST:
  105.  
  106. - 39a9cd9816d520124a30a2d623a105c5cbb8f66c2de21650153a46642801091e C:\Users\[username]\AppData\Local\Xurare3\bodads.exe
  107.  
  108. DOMAINS FROM HTTPS TRAFFIC SEEN DURING ICEDID INFECTION:
  109.  
  110. - load4th[.]casa
  111. - sweeteator[.]best
  112. - plutiasitop[.]top
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×