malware_traffic

2020-06-23 - Valak (soft_sig: mad34) activity

Jun 23rd, 2020
1,828
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-06-23 - VALAK (SOFT_SIG: MAD34) ACTIVITY
  2.  
  3. NOTE:
  4.  
  5. - I am yet unable to find any documents with macros for today's activity. I stumbled across the URLs for the initial Valak DLL files and tested them on a lab host.
  6.  
  7. EXAMPLES OF INITIAL VALAK DLL FILES RETRIEVED BY WORD MACRO:
  8.  
  9. - cc9e434bc25472d2c3e3fa505ee20620bf12c5f431d1e0cd6652ae3af64129f2 2020-06-23-ynetz1.cab-from-fepz41.com.bin
  10. - 3444b9718db7fc74b4a02283d27e6dcc38f9880d6acf18fbb7122e12912ba963 2020-06-23-ynetz2.cab-from-fepz41.com.bin
  11. - 299d03ac452057470ae0c13cd20a32948320aa1867f580e38290522af343c302 2020-06-23-ynetz3.cab-from-fepz41.com.bin
  12. - 08758fca79f0589f50a2033681340563891b6f4da4b628d94eb9c8d4413f4be2 2020-06-23-ynetz4.cab-from-fepz41.com.bin
  13. - 01d83cb3a31f6e5be7ce57c81506b0792281ec464fb7d5761184699e61d15f06 2020-06-23-ynetz5.cab-from-fepz41.com.bin
  14. - 82cc0a0ed5ebb1f2c39633166f06829d478bc5fd27af7189588ae9863f8e5764 2020-06-23-ynetz6.cab-from-fepz41.com.bin
  15. - 97eb9b6262fab33ce0b10d69415749faf69842a15df6c78342db423ea347decf 2020-06-23-ynetz7.cab-from-fepz41.com.bin
  16. - 0e99598ec60e8c64fee526fca5b3fa0562b07e566c37f500878919d78bcb9bd4 2020-06-23-ynetz8.cab-from-fepz41.com.bin
  17. - 7e499a9ea954101c4d74dc635cfcc236959655b8921fe8a57bdc3adbd0371d75 2020-06-23-ynetz9.cab-from-fepz41.com.bin
  18. - 54631a3371c09acf7bdeb6c74f899627d05da0c75b71e7d6bac2761269249352 2020-06-23-ynetz10.cab-from-fepz41.com.bin
  19. - 6a5bf1bfccf3f36fce2124b710333b62f68fbc751d77fc9241021005aee85150 2020-06-23-ynetz11.cab-from-fepz41.com.bin
  20. - f3b156a0c655135bbed201e6e4adad77b5a1206ee012cffe46878f987f59868e 2020-06-23-ynetz12.cab-from-fepz41.com.bin
  21. - 1990f9782ef6e8b522eb2408d88d44e50bea4e835603d2f9ef5c364f5f87a8d7 2020-06-23-ynetz1.cab-from-qqm9lv.com.bin
  22. - 88cad7a48e19736b1d8af04ef7f123ed5f474996d079e386be726f732002a1d2 2020-06-23-ynetz2.cab-from-qqm9lv.com.bin
  23. - 7ef591a8508a659d07b854dc7b1c41b60f85344c3ea92eb3c1fa75a2e9569f73 2020-06-23-ynetz3.cab-from-qqm9lv.com.bin
  24. - f0469a7ab901fdef63b3325e51bdbee90f84e04220d696cd3f05b0d45e7be1df 2020-06-23-ynetz4.cab-from-qqm9lv.com.bin
  25. - d8eaf97a48c9ebcee83d828f6663d346df5d0eec78a7bd747e3b4ebd4c1db585 2020-06-23-ynetz5.cab-from-qqm9lv.com.bin
  26. - 997099b25849798329f01362577d54552f8e1873d6dcdcb5c793a9b8ab03d49e 2020-06-23-ynetz6.cab-from-qqm9lv.com.bin
  27. - defe95da33663c83222c8babfaae1be9dead36307f0262f5e7ef1fdb7558f58b 2020-06-23-ynetz7.cab-from-qqm9lv.com.bin
  28. - 8f322ebc904053007907521620d29801d88a001b637a169b23ab43e21c41f5d3 2020-06-23-ynetz8.cab-from-qqm9lv.com.bin
  29. - 33d8d318615e1be0786491b676389eaeb2c9b9c798a2a5f1e45d4bb90bcd5bd5 2020-06-23-ynetz9.cab-from-qqm9lv.com.bin
  30. - 72107699b9a78db221c18ef69b9b9b8b160952a9f6f3b3ce62c4fcbf471b7aad 2020-06-23-ynetz10.cab-from-qqm9lv.com.bin
  31. - 7d63e38a8e8607c244f19377e78702db60f62765bb256dd4747ec1eb087eca4f 2020-06-23-ynetz11.cab-from-qqm9lv.com.bin
  32. - 32217c9d79352151d1f2ca4a9db647d7fdf66cd866db387a6d537f1c16311bc2 2020-06-23-ynetz12.cab-from-qqm9lv.com.bin
  33.  
  34. SCRIPT FILE FROM INFECTED WINDOWS HOST WHEN VALAK DLL WAS SUCCESSFULLY RUN:
  35.  
  36. - 1afcf5a12826605506aec192c985023c95918fb21f01e75e44b067f3c7596b4a C:\Users\Public\VXoT_mDBJ.Wxa_X
  37.  
  38. SCRIPT FILE FROM INFECTED WINDOWS HOST USED TO KEEP VALAK INFECTION PERSISTENT:
  39.  
  40. - c7d58120b99d7ef2f1d124168e49e2b20df6b96252b0e2474192c826d21a09e2 C:\Users\Public\WsuUpdate.js
  41.  
  42. FILE NAME USED FOR ALTERNATE DATA STREAM (ADS) TO HIDE VALAK EXE:
  43.  
  44. - 9bb0eae6dbc37e2a6fe0773c92ce5409cd199ce3de2a0b41c159f3bdcc653a76 C:\Users\Public\WSUDIAG.EVTX (note: I did not find ADS with today's file)
  45.  
  46. VALAK MALWARE INFO:
  47.  
  48. - SOFT_SIG: mad34
  49. - SOFT_VERSION: 40
  50.  
  51. URLS FOR VALAK DLL:
  52.  
  53. - hxxp://fepz41[.]com/unbbmevd/d76.php?l=ynetz1.cab
  54. - hxxp://fepz41[.]com/unbbmevd/d76.php?l=ynetz2.cab
  55. - hxxp://fepz41[.]com/unbbmevd/d76.php?l=ynetz3.cab
  56. - hxxp://fepz41[.]com/unbbmevd/d76.php?l=ynetz4.cab
  57. - hxxp://fepz41[.]com/unbbmevd/d76.php?l=ynetz5.cab
  58. - hxxp://fepz41[.]com/unbbmevd/d76.php?l=ynetz6.cab
  59. - hxxp://fepz41[.]com/unbbmevd/d76.php?l=ynetz7.cab
  60. - hxxp://fepz41[.]com/unbbmevd/d76.php?l=ynetz8.cab
  61. - hxxp://fepz41[.]com/unbbmevd/d76.php?l=ynetz9.cab
  62. - hxxp://fepz41[.]com/unbbmevd/d76.php?l=ynetz10.cab
  63. - hxxp://fepz41[.]com/unbbmevd/d76.php?l=ynetz11.cab
  64. - hxxp://fepz41[.]com/unbbmevd/d76.php?l=ynetz12.cab
  65.  
  66. - hxxp://qqm9lv[.]com/unbbmevd/d76.php?l=ynetz1.cab
  67. - hxxp://qqm9lv[.]com/unbbmevd/d76.php?l=ynetz2.cab
  68. - hxxp://qqm9lv[.]com/unbbmevd/d76.php?l=ynetz3.cab
  69. - hxxp://qqm9lv[.]com/unbbmevd/d76.php?l=ynetz4.cab
  70. - hxxp://qqm9lv[.]com/unbbmevd/d76.php?l=ynetz5.cab
  71. - hxxp://qqm9lv[.]com/unbbmevd/d76.php?l=ynetz6.cab
  72. - hxxp://qqm9lv[.]com/unbbmevd/d76.php?l=ynetz7.cab
  73. - hxxp://qqm9lv[.]com/unbbmevd/d76.php?l=ynetz8.cab
  74. - hxxp://qqm9lv[.]com/unbbmevd/d76.php?l=ynetz9.cab
  75. - hxxp://qqm9lv[.]com/unbbmevd/d76.php?l=ynetz10.cab
  76. - hxxp://qqm9lv[.]com/unbbmevd/d76.php?l=ynetz11.cab
  77. - hxxp://qqm9lv[.]com/unbbmevd/d76.php?l=ynetz12.cab
  78.  
  79. DECOY DOMAINS USED DURING VALAK INFECTION:
  80.  
  81. - e87.dspb.akamaidege[.]net
  82. - insiderppe.cloudapp[.]net
  83. - pagead46.l.doubleclick[.]net
  84.  
  85. MALICIOUS DOMAINS USED DURING VALAK INFECTION:
  86.  
  87. - cloptio[.]com
  88. - 50kmission[.]com
  89. - fast-pacedworld[.]com
  90. - 82geod-misery[.]com
  91. - 76leof-nerve[.]com
  92. - 29degod-soil[.]com
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×