malware_traffic

2019-03-05 and 06: malware from malspam pushing Ursnif/Gozi

Mar 6th, 2019
573
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2019-03-05 AND 06: MALWARE FROM MALSPAM PUSHING URSNIF/GOZI
  2.  
  3. EXAMPLES OF SHA256 HAHSES FOR ASSOCIATED WORD DOCS WITH MACROS:
  4.  
  5. 1022c65615fa34947847ed76fc0fcc6f32c0f53c6a3fbab5cc7d05955216da55
  6. 1334b8b21c911ebf226d9757d1468dbf000ec62de114cfe59a79ec30735bcb1c
  7. 2052343e468a67f6d8bae96b93299a99141937c535d0a7c2b45fbc48221c5951
  8. 2b1b6402200f2c5fdb12b5df1927177db9be8e7374c497ac31848b2c4a01714a
  9. 48a99d007f50db9e00f64cc4176618c619af0c48eab602c833db4277d4b215c7
  10. 564328a57f35e0d93d102ec34e084a4d2e458540ca25be4744aed85469e5432b
  11. 569a8cd62c3aa8162189901bae682998548317094a670cd7c9fb9365fc4c5a97
  12. 73c89f03c3ff997fdd2825cca0c721e72d1082b26c018e150f12b5cefe677782
  13. 9548cdc40e0d16eae2e0f9969dd861bb37654f7b6d2dc5ca0faadf6b0599d221
  14. a8023050e5e22c284597784f8b7f1c3f2a4913fe932cc13a9c1442012d15718f
  15. ac4cf830907382507f97e241a8ca9ae39c3dba5ee5f435ee6cec8147364cabdd
  16. b23191a23277e3a22b8912d7bb95c83cee0ded5252ad2e9ec028ca9714da52b8
  17. b4cc5702a9ace666880377838ec6d679866665c2055bf6e7cdd0708a344b7a78
  18. b819e5a71bbd81af0221a482446890c280ce0be57d9b911a3912434b829cbf6d
  19. c206f21571bb807783aabfe1fff0a203490da4e7667e469dca777049b6d3e180
  20.  
  21. EXAMPLES OF SHA256 HASHES FOR ASSOCIATED XML DOCS WITH MACROS:
  22.  
  23. 20606803947ff3829a2c597f8c1b4de9017c3c834f9d0843d93d8264104f9322
  24. 724bcde664d8c90357808566e5a405b1a12ecf54ef098b223dfa13b6b6e24246
  25. b0cbf0627c5dd1b6024cfaee94609bfe10c311d0f81392986d5b42163e1701d4
  26.  
  27. URLS FOR URSNIF/GOZI CAUSED BY MACROS:
  28.  
  29. - 46.29.165[.]85 port 80 - hkristinah[.]city - GET /hssuwpqksm/o.php?l=mxap1.bz2 (up to mxap15.bz2)
  30. - 46.29.165[.]85 port 80 - liumelvin89oayy[.]email - GET /hssuwpqksm/o.php?l=mxap1.bz2 (up to mxap15.bz2)
  31. - 89.223.90[.]27 port 80 - v73adrian79[.]company - GET /hssuwpqksm/o.php?l=koagura1.bz2 (up to koagura15.bz2)
  32. - 89.223.90[.]27 port 80 - xe7nikkij[.]email - GET /hssuwpqksm/o.php?l=koagura1.bz2 (up to koagura15.bz2)
  33.  
  34. EXAMPLES OF SHA256 HASHES FOR FOLLOW-UP URSNIF/GOZI EXE:
  35.  
  36. 02b4cab8bf05d48cea63e40af44991c9985763fb8175411c69380730984f8631
  37. 06243684f00de6c618dfc851c783033f3657043529b278f175fd82a5520d785d
  38. 06e65ed65e62067c1913af3eda0117157251b9de454f465b19115afb25285150
  39. 0937c16bc256ec992913ca949fa1310c984d3b523a62ad0ce7595a0ffa82910e
  40. 0bab4ce13b8896f805841c97754b1cd6451468d0d29cec3c700678147947aef2
  41. 1411344d63ba80d718a6a98a1de0354aa4ce8ce91257a4408ef81d3fc9542cc0
  42. 14641b7be9df7b04a7f5060c95e799e03d625d51eabbd9b105e5195408570ec4
  43. 24357b663f5e2eb60aeb28840da94008c521bd8cd1c042725abb3fa165229754
  44. 279e3b322b88bd08a4d3d2b9b01505f97b0de82e71bfa90463e0f33baeb0c299
  45. 27da297ad66f7ab09ab4b5c2e3eb7209b04a50c9fe936f732587141e06ca2635
  46. 2a4433975b598054944e1af3d559db223f4fd92030456caeb14c00f32f4401f5
  47. 331fee4f87aa24f9bbe2f96319632e5ec9484f568073eff3d4037f295cb941b5
  48. 3700397d30aeae3dce64cd86c1e036ce8feaa3c5f4c779d19b93c1649c967a4e
  49. 38e4a44e022ede5d27eed27d251dc54a7ffddd830906bf7dde863116c721563e
  50. 391428aa95ce2059671335fdf617360c274a73e7b6575a4b5cd9164fef27acdc
  51. 3b05e754fd59194fd8b5158d1df4a86249c10204444048527846ff8888c9badd
  52. 3d96419d4c307864a79a39772785a9c8f4b655d92ffeabc27d6cb9ad728485fc
  53. 4274124b1b9e95d24167a5c49bac9c376d2d3f368471981a2ab64a79d4ea5587
  54. 4554d84be9d973ec89767a7095040da1121e337959f34f9aa42825d4268ee283
  55. 47a2a72efbd28ac7df1ef0ce71cbefbdd4677a9d8fb862b84471be1e1c931ad4
  56. 4c1021ca411f11c58fc3d16e43a24d4842c5dd5d27939fb88aebcef785796c1e
  57. 4d98d60093f1bd12c7abc8f6b08ba4341522a147bc40233363de55804fb6ec74
  58. 4e755ac584a5537c491ee133aeea4289ca2942456aa18c710391fb0f92acf4d9
  59. 4f6b9f7600098121489c3f053a63ed85a0fe49a899d513c38888588369259b9d
  60. 58dad0d5e05f6d61c75b17cf580eb64c93b578c1d578d3239513618f2d241dbb
  61. 59c8147ea2b258f8d212dc7b5f963adc1e1f25495fc5f2c30bbf459af7e0c67f
  62. 59edc52658004655281d116ba63fb86e1f4e4cb539483832624555adfc268b9c
  63. 5b2a51c737f0c6d74ebd4d199ea03e3c699a7a74e445bfaebb6fcfa2b50d7069
  64. 5d7aaa2a436a7b97bcd80caf228c5184341d8fecc0bf46e58d5387618bb200ce
  65. 61a7617b332de0bf083d847fb95503bc5b4c5620750c39f8be7b6f1b56db3fd6
  66. 670e0d46859e3243625f9d0057b168f893c8cde9d222c197eee715342e79ca04
  67. 6c246e9f47a5ead5bfad7f62c776fc228574f18515d68dc92d1b3a5e1b8bd7f5
  68. 7435082d61ce50440c6c5ff63082cbf56d1139a71fb4499d289b99f28c6c9a15
  69. 74743be3a5dae53e61aa5d189c47c827197b29d1f0ee5563b91868d7984dff27
  70. 79326f02fc0e3fa9d57f0880b8ce1ff38df48dc8f9a278e017ebad658e0d782a
  71. 7bd10cf93053f31c554cbc1fd23b9b2d371491a64db0e11d77b1b9c5c6adb25b
  72. 81e754d96064990f3f0f71f1993ef2549c0ca9f65e09798ba1369ef39788751b
  73. 872252ab5b2b2b125bf53011469fb563a8dd06c9d55416546fe9e82857fa376e
  74. 95a1805c45668779cf0793e4ebb2a5cfdce779c0f87bb5b9a8296171b34fae9f
  75. 96e6425f90c8b8ba1a8f9b43fe42d127aa314ec827f96069b81d4f3625118690
  76. 9779dc58dd04accfddb931928d3fd214389b1b8871ce0dc8d6323800c0bd26f4
  77. a2bf302d6ca0a06ff9fb1b625ecbd05fee3fe46a9eba7ad674d7ccc3dde26f31
  78. a3d4cae9f295728f57d79a4b6c1655cad455772fcaf06a8427a06e5ec3300aee
  79. ae3ff84eb528fd23baa040fef6eee2ee1b40acd26f77b481c22ff3e871e93728
  80. ae5639d803ce7e5193d59f2d1d861ec813be641d1b328ebe88050edbfc4c8ee7
  81. af9e4591744117eb9a86f5877d818f2a685f3ba9d47bba593d6014005a0d194e
  82. b1b4fd251c1b080a88ca6a74d421a8b055674da546e26936062c607142908d93
  83. b205069799a5c0e894a21982a13f9b3773fa98eaf25e502668192d77a9479335
  84. b650058eda36f87916e616cc1ffd21b4200719e4c95a1c06aed7dbc8839eb30d
  85. b814384063ec1b52de4097687be26d1d9f1350fcc50b3f70fdf758d01eb5a615
  86. b937c6caa11891423f0c8c70d23b9c52e8a0e5571f172c9076cc48a0019234b0
  87. bb4e404bd278a4d06c666dbc29aff7b04092c96aa62c0c99dda1abb0107c2c6a
  88. cc6f41cda64e9728689127c57a1f12c2d71d8a6841ffbf79ef0d63cfb58bc301
  89. dafc28a58d6c829ec203c0a9b30f6631c30ced1e1324c8cfcd5db3222203bf1b
  90. e308a457dc786f31b6a1c53a38d2a09ab38e43b01d3cb7729dffb524f43da56c
  91. e547ddb18dd4c7797c9e89630c175b3e986d728300ec6b2e984be4262a4f665e
  92. e643e3936816130ea1415b4eaeb86833b412837985d8e1da87459d2cfef8defb
  93. f52e4f5da6e53a3221a1d8ca63b8261075b919c26a7c25a1065ba4570f4c90eb
  94. f8d9600b699f5ce999bbe223b9a0a3446343bde79daeef48e5deadcb8f913689
  95. f922575fef0258c122ae793eb74496eb12faf7c091cbdd39c0ee6396c96b66d9
  96.  
  97. SANDBOX ANALYSIS FOR ONE OF THE WORD DOCS:
  98.  
  99. - https://app.any.run/tasks/6a2644b1-51ec-4702-8eb7-ec9a4b04c41e
  100. - https://cape.contextis.com/analysis/43022/
  101. - https://www.reverse.it/sample/1022c65615fa34947847ed76fc0fcc6f32c0f53c6a3fbab5cc7d05955216da55
  102.  
  103. SANDBOX ANALYSIS FOR ONE OF THE EXE FILES:
  104.  
  105. - https://app.any.run/tasks/243cdc24-35fb-46dd-a4b4-a354cf871eab
  106. - https://cape.contextis.com/analysis/43026/
  107. - https://www.reverse.it/sample/02b4cab8bf05d48cea63e40af44991c9985763fb8175411c69380730984f8631
RAW Paste Data