malware_traffic

2020-06-30 (Tues) - Valak (soft_sig: mas37) info

Jun 30th, 2020
1,871
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-06-30 (TUESDAY) - VALAK (SOFT_SIG: MAS37) INFO
  2.  
  3. SHA256 HASHES FOR WORD DOCS PUSHING VALAK:
  4.  
  5. - 2343c127037f6941956db9e5813e67f721739e187b978c35de050b849f899cfe input_06.30.2020.doc
  6. - 43e2b0d9cc45327bd4ea0864d3eb258e95a7fc5bacdc2c523443e528da45c941 direct.06.20.doc
  7. - 5986dbadd90892a8bcbba4800934c76c919c3d76b77b624259bcfce6643c42ff instrument indenture_06.20.doc
  8. - 6b7b51feb85f6ddb4ce5b6df7ca291fb425961179ff9cc7efd8011bc64918ad9 commerce .06.20.doc
  9. - 6df6c10f882b5c56a22a14ef9ed611ebcb2e75e0977f784bc9e49fcea55f7466 dictate-06.20.doc
  10. - 713b8ee4d69ab5f7db4b5e24fd395d6bbbc0a0f8f8e7b2968b044d231972aab7 require_06.30.2020.doc
  11. - 8b3abaed216bb346e12c72deb04736fc1c924efe4afa5fdac5e652f3f04cc3b4 files-06.20.doc
  12. - d8b6998a8d8792c76872493c7fd53c3b6d00ae5c215c7ec814342c236fc7dc2b file,06.20.doc
  13. - f10db2247990e6ea29d90a8aeb567576af903d65654bd04d8ad910b68e5250fb statistics 06.20.doc
  14.  
  15. URLS FOR INITIAL VALAK DLL:
  16.  
  17. hxxp://178.62.53[.]215/wp-content/themes/busify/_PbLR41ZWteURSpWq.php?x=MDAwMSBoAcWc2LRSaD8wIm9JaB102ANxBYghOSvEzkivZDZpIV_9RdpNplA4sXyghImppb__CBNPq7MRzRvvamxjFBJqvGSFHBUH20_P1rrWVOqStAag0YNj2fw2igPzRkHALqIwTMgVHwh-vEJoPEt6&y=cmVxdWVzdC56aXA=
  18.  
  19. hxxp://www.anacatellieventos[.]com[.]br/wp-content/plugins/sheet-music-library/__oR_IjoGP8_PPzkx.php?x=MDAwMSBOWIGBFbL-0azkdhrhr-OPh01f1raq-dqZp2T_Xz3HnvPG8LlCasHir1TKR2aRS3OBH1iVy892lyVNDCyK53HizZpfKCDV2CT9bCfyYxhrIMLnkBYKeUZtLwztGhG9d3XCjNk9Aj8aQ5CcPxAz
  20.  
  21. hxxp://www.anacatellieventos[.]com[.]br/wp-content/plugins/sheet-music-library/__oR_IjoGP8_PPzkx.php?x=MDAwNSDHRDXq21curp6JP37js56dAJDy59u_m4kZy0_j_fo2A0jBFWxSPmi1cVnZ2w-LF5wRND5qlKZFE3HXK5Dl4OltE19g8ruAVxIcF0X3IRQZYy5c0lWI5SmxVAf1yLcBfvMtF4qOd8rfkHoFwYj-&y=R
  22.  
  23. hxxp://conserviengenharia[.]com[.]br/wp-content/plugins/sheet-music-library/__I9CUC7Zn37Tmtyh.php?x=MDAwMSAIvo8tTGdKdOH8kjyjFFCh-XE5VIsIFu3fqoCXWxtGVpbY-qVqAjCsVUDK7sE9HX19AICoppurif5iqVg_tMDBKNJuS7683zU8mSPQL5KzwabZP_PgTu-1G2_8Dos7JlUsW1xampyP5Yve7zOR
  24.  
  25. hxxp://conserviengenharia[.]com[.]br/wp-content/plugins/sheet-music-library/__I9CUC7Zn37Tmtyh.php?x=MDAwMiChmVzZFaUj2UP6oLqhT4Ot0cR5QoJoFKGajkLoNMJdNHkVW58HVR-Ud3PIxUAkMBR5_y5phdyK_FFgxZC-0xavF8gMwnryMLIC9VNvn77F7OIbzUxmEr1DahW91a8FZHEEhw2XAXbfhAkMGdx8&y=RkVBTV9UZWNobmljYWxfVHJhaW5pbmcuemlw
  26.  
  27. hxxps://www.cursosler[.]com[.]br/wp-content/plugins/sheet-music-library/_LSojVUoCxtLM8CCy.php?x=MDAwMiBH2Aq-Fe6hRnOMSiKlfruOtxOBzTKZYpw6Reqf_IqA6w19D0Fk9cUwhOqkSegPHyWcGVGOQuaoV3IGdN07R4e-dpVZgTf4_Bde9ToZGI8p_5C1Yn0QDDfXxip3xPpZVAjIJHM0syqZk09Bauz3&y=RXhjYWxp
  28.  
  29. hxxp://digifish3[.]com/blog/wp-content/themes/busify/_eWTFIH4ngoi2PJUl.php?x=MDAwMSBskYeC02Ql3VG8Ae9TVFHu6uY34q-zd5ISLrA1LlMNJ88yi_SVZUlkWiyyC9gmFThkFMVkHIlaI-DSlZPLLzSuvVgZWgWuujIh-VCBWg50AL-jKfRnl38NNw89_MLBalU19J9qyusiuA_X0pqC
  30.  
  31. hxxps://lartabea[.]org[.]br/wp-content/plugins/sheet-music-library/_8Q4vDIzBBCLZIBfR.php?x=MDAwNSB2z05LKE63zs0eKn89CKxK3-wtkZP4FOYnq1lgT7M2L7DF0RNkh69Xs4q5eD-p2BrpS9fva-4e7QhUUqs80c9JKaHQSCnG5oV19lKkotEc6Z2l1CjdMX1Q6wCHBoU_2KwLNphWYIkDKkdauUMi&y=RXhlY3V0aXZlX1RyYW5zcG9ydGF0aW9uLnppcA==
  32.  
  33. hxxps://www.nasproje[.]com/wp-content/plugins/sheet-music-library/_5PvmqsbqvY2g-wh3.php?x=MDAwMiAnZmeaQrFlmFmE-reGzl11dyp8nHkf7tZA00FI0qUQkeAt3qgDDe1W9Fj9MFXOjhilh2uLmMFN5Uf7sSEr0M1QZqVFRRH8A54H9Svc7kERi4H1D7onjJvaaiWOzFKfNAgyFo9wSGTAgTYIiiHj&y=RXhlY3V0aXZlX1RyYW5zcG9ydGF0aW9uLnppcA==
  34.  
  35. hxxp://ocean2river[.]com/wordpress/wp-content/themes/busify/_wAMow2Lxyz8UNW4i.php?x=MDAwMSDNZ6I-qdI0prPT2ls6nNKESOR20N1RgM4HmsjtZd5Qx1bvNQWxhc4k5fQyFxOaq4NYYdYCN7H4ui6Xf3XUN9_8e4MYUEAq79dVtJaqxFnJPCpZTL-8gDgQfUMyZSEnqQeDo3b7qVfOevWVm0In
  36.  
  37. hxxps://staging-emama[.]kinsta[.]cloud/wp-content/plugins/sheet-music-library/_3o2liPpLWjwlvele.php?x=MDAwMiBJBQIHyIO-konc33mauL3csnB4iEaU49FofYuMFnLCcS1sgkpU2TD6o6U1Rf4sfl_ZtBMvOEy41ygmZDivZtgSffqmYMNS2mH7kroNZ6mZbcndn3nNa635eaDr6uyjmbKY3MPFvcS57ab6BK-W&y=RkMuemlw
  38.  
  39. hxxp://stega[.]com[.]br/wp-content/plugins/simple-shortcode-block/_OZ-BEMMLLPU5qIHC.php?x=MDAwMiAAaHttuNUZONBCk-mgXSC2lsnySP3pkJK1Mhy1BQWmPR9BLadR6Po8Ounjrt7awnqhv6GIiIu7MOPbudr7rJUFTWEMx_f_uNVLHe-ofJmQ_y3JhxX7DPnsZ_58wIbwjfXZj8tvzeBh9xm9EP2k&y=cmVxdWVzdC56aXA=
  40.  
  41. hxxps://sx-facemask[.]com/wp-content/themes/busify/_Eb-6XZQPkeWFE2F0.php?x=MDAwMSCXfM02CmgQnk-DMmwZ6iqPCFHtzoeaRLfZrzLpiPzvIOSihDhzp9ISW4bpG92mmNuiHQNMEkLVrUmEz6koYzX70xVMGf6jVCqQeRVe7t85UJ6Q_r7oGwyZGzHnKZK1O-jzvCDYaZSg3VuYDRvD
  42.  
  43. hxxp://tarimelaletleri[.]com/wp-content/themes/busify/_b_X1VMX9WBjUof0v.php?x=MDAwMSDXdihR-B_9uYRXZr8uzD_lK1FjvBOUkpooQfnhuLhVk-yu2D-M_FsLWnqlUYMlRnp3lrJFujHVyr16rJgGNt8JuPzxCcoqEAx7F2kEsHQt4oFOQ8jzu-h4AkydP_i0H2l9euDG10ZNCwVQWEGm
  44.  
  45. hxxp://technodroidstore[.]tk/wp-content/plugins/sheet-music-library/_WgE2fcIjkMVSpvG6.php?x=MDAwMCCblyxN5bvCHAD2SK-NbX6VnNZ-zLp4CTygd2Qm2MeeoD7JCTxEbK7K5yfOsx4l21Gcg2dzLwvMNc336H0Pts8767i6OfkTPMbt3DE6m2Gu88-rHsFDNomqMbDUU4xz2ublm9qgYZUatmy5ZJLM&y=RkMuemlw
  46.  
  47. hxxp://technodroidstore[.]tk/wp-content/plugins/sheet-music-library/_WgE2fcIjkMVSpvG6.php?x=MDAwMSCavhlnM1n8jhvQHi8BIl0WCqQcoj2XDZ--FPGUNQrnmCmXh74O0ULhy_SWWrISJDyZ5U7-p1wuJtu7798sq8synKeM9WNuVvGsnkX6Hp-iq0fOpyFMjCp3jig8wTa_uEi5iwK3aSHhoWc4__Gd
  48.  
  49. INITIAL VALAK DLL:
  50.  
  51. - bff33dc4020ac8eeb354eb4a20f241f0bef6e1f15c029ba33b2350d84e8de42a C:\ProgramData\1.dat
  52.  
  53. INITIAL JAVASCRIPT WITH VALAK CONFIGURATION INFO:
  54.  
  55. - 32061d3b3c2d869560c1ecc5d82b8bda978a66d45e881f0e490d88dfc0488320 MVexBafTc.Sszxu
  56.  
  57. DECOY DOMAINS FOR VALAK C2 TRAFFIC:
  58.  
  59. - dev.visualwebsiteoptimizer[.]com
  60. - rad.msn.com.nsatc[.]net
  61. - tss-geotrust-crl.thawte[.]com
  62.  
  63. MALICIOUS DOMAINS FOR VALAK C2 TRAFFIC:
  64.  
  65. - aloveschool[.]com
  66. - ctbrt[.]com
  67. - naturestyle-moebel[.]com
  68. - 99swus-game[.]com
  69. - 64kapd-bowl[.]com
  70. - 19sped-lane[.]com
  71.  
  72. VALAK MALWARE INFO:
  73.  
  74. - SOFT_SIG: mas37
  75. - SOFT_VERSION: 42
  76.  
  77. FOLLOW-UP MALWARE HIDDEN USING ALTERNATE DATA STREAM (ADS) - ICEDID (BOKBOT) INSTALLER:
  78.  
  79. - d0a8c0a6811541b27a5d259ee4b6ca9917ca91a1eff2f6d0239fa3d389784066 C:\Users\Public\MUIRtcp.xml:75ef6a54
  80. - https://app.any.run/tasks/e3140f20-cd22-4625-894e-0969a4551b5d
RAW Paste Data