malware_traffic

2019-09-30 - Info from malspam pushing Shade ransomware

Sep 30th, 2019
1,304
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. MALSPAM PUSHING SHADE (TROLDESH) RANSOMWARE ON MONDAY 2019-09-30
  2.  
  3. ASSOCIATED EMAIL:
  4.  
  5. - https://pastebin.com/Zn9hhmLv
  6.  
  7. INFECTION CHAIN:
  8.  
  9. - Email --> Attached PDF file --> link in PDF file --> downloaded zip archive --> Extracted JS file --> retrieves Shade (Troldesh) ransomware binary
  10.  
  11. URLS ASSOCIATED WITH THIS INFECTION CHAIN:
  12.  
  13. - hxxp://gigazine[.]us/wp-content/languages/plugins/doc/
  14. - hxxps://www.blizzz[.]nl/wp-content/themes/vertikal/option-tree/assets/css/tF2Iu/2c.jpg
  15. - hxxp://jonnyb[.]org/alexhampton/_assets/css/doc/2c.jpg
  16.  
  17. FILE HASHES ASSOCIATED WITH THIS INFECTION CHAIN:
  18.  
  19. - SHA256 hash: 3c504429569ca24a2e664471a8944d078a11be2fcefc122003b3134420909e00
  20. - File size: 32,871 bytes
  21. - File name: СДФ.pdf
  22. - File description: PDF attachment from malspam pushing Shade (Troldesh) ransomware
  23.  
  24. - SHA256 hash: 4d262d0ce7fb86a346924b2415da0be61d7dd4f78c34e39496a5b1801e4582ca
  25. - File size: 11,640 bytes
  26. - File name: doc.zip
  27. - File location: hxxp://gigazine[.]us/wp-content/languages/plugins/doc/
  28. - File description: Zip archive downloaded from link in the above PDF file
  29.  
  30. - SHA256 hash: a53b461aa9872f58e30269429fe4765d52b8c14c7cda3af5812279e35a2f7f78
  31. - File size: 17,751 bytes
  32. - File name: Информация о заказе 26.09.2018-29.xls.js
  33. - File description: Extracted JavaScript (.js) file extracted from the above zip archive.
  34.  
  35. - SHA256 hash: b648daf8cb29ad1cf72528d0e93a12c05f4752bd721173f035a5ee724fd97aa1
  36. - File size: 178,8928 bytes
  37. - File location: hxxps://www.blizzz[.]nl/wp-content/themes/vertikal/option-tree/assets/css/tF2Iu/2c.jpg
  38. - File location: hxxp://jonnyb[.]org/alexhampton/_assets/css/doc/2c.jpg
  39. - File location: C:\Users\[username]\AppData\Local\Temp\radAE6A6.tmp (various hex characters in file name)
  40. - File description: Shade (Troldesh) ransomware binary (Windows EXE)
RAW Paste Data