Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- THREAT ATTRIBUTION: BUERLOADER
- ANALYST NOTES
- Upon opening the .xls file, I got a "circular reference" warning alert box.
- The spreadsheet has an image that says "GlobalSign PKI Secure".
- Enabling macros in the spreadsheet creates a folder named "BlockSt" on the root of the C: drive.
- One of the payload download urls that I had was down but the second one was still available.
- After downloading the file, it's renamed to "Winword.exe" and launched.
- I saw C2 traffic in the form of POST data and with a user agent of "aaaa".
- The data are mostly POSTed as key/value pairs.
- The C2 traffic that I saw was just sent over port 80 (http).
- SUBJECTS OBSERVED
- order 15973702 Parcel
- order 26753235 Package
- order 53960152 Parcel
- order 7051954 Package
- order 8596082 Package
- SENDERS OBSERVED
- Foster@bizziebuzz.com
- Jones@swimmingdealer.com
- Thomas@bizziebuzz.com
- Wilson@bizziebuzz.com
- Wilson@swimmingdealer.com
- BUERLOADER MALDOC FILE HASHES
- Invoice626914.xls
- 7ec855b49f5bfe392d1443476d5fc8c2
- Invoice144009.xls
- 8916813eb4de23e8f1fb0df11ca89837
- INV856686.xls
- e859858784ac3dea61a08492f439f16d
- INV854614.xls
- 92d9e69157d22f81252d89cffeb8861e
- BUERLOADER PAYLOAD FILE HASHES
- private.png
- f7fc343cbf86f08c7b529ab451677752
- c:\BlockSt\winword.exe
- f7fc343cbf86f08c7b529ab451677752
- BUERLOADER PAYLOAD
- http://213.252.244.176/dw.pm
- https://eshop.hydrotech.com.gr/wp-admin/images/private.png
- hydrotech.com.gr
- BUERLOADER C2
- http://tokacpebanking.com
- SUPPORTING EVIDENCE
- https://urlhaus.abuse.ch/url/986773/
Add Comment
Please, Sign In to add comment