SHARE
TWEET

2020-06-23 - Valak (soft_sig: mad34) activity

malware_traffic Jun 23rd, 2020 (edited) 491 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-06-23 - VALAK (SOFT_SIG: MAD34) ACTIVITY
  2.  
  3. NOTE:
  4.  
  5. - I am yet unable to find any documents with macros for today's activity.  I stumbled across the URLs for the initial Valak DLL files and tested them on a lab host.
  6.  
  7. EXAMPLES OF INITIAL VALAK DLL FILES RETRIEVED BY WORD MACRO:
  8.  
  9. - cc9e434bc25472d2c3e3fa505ee20620bf12c5f431d1e0cd6652ae3af64129f2  2020-06-23-ynetz1.cab-from-fepz41.com.bin
  10. - 3444b9718db7fc74b4a02283d27e6dcc38f9880d6acf18fbb7122e12912ba963  2020-06-23-ynetz2.cab-from-fepz41.com.bin
  11. - 299d03ac452057470ae0c13cd20a32948320aa1867f580e38290522af343c302  2020-06-23-ynetz3.cab-from-fepz41.com.bin
  12. - 08758fca79f0589f50a2033681340563891b6f4da4b628d94eb9c8d4413f4be2  2020-06-23-ynetz4.cab-from-fepz41.com.bin
  13. - 01d83cb3a31f6e5be7ce57c81506b0792281ec464fb7d5761184699e61d15f06  2020-06-23-ynetz5.cab-from-fepz41.com.bin
  14. - 82cc0a0ed5ebb1f2c39633166f06829d478bc5fd27af7189588ae9863f8e5764  2020-06-23-ynetz6.cab-from-fepz41.com.bin
  15. - 97eb9b6262fab33ce0b10d69415749faf69842a15df6c78342db423ea347decf  2020-06-23-ynetz7.cab-from-fepz41.com.bin
  16. - 0e99598ec60e8c64fee526fca5b3fa0562b07e566c37f500878919d78bcb9bd4  2020-06-23-ynetz8.cab-from-fepz41.com.bin
  17. - 7e499a9ea954101c4d74dc635cfcc236959655b8921fe8a57bdc3adbd0371d75  2020-06-23-ynetz9.cab-from-fepz41.com.bin
  18. - 54631a3371c09acf7bdeb6c74f899627d05da0c75b71e7d6bac2761269249352  2020-06-23-ynetz10.cab-from-fepz41.com.bin
  19. - 6a5bf1bfccf3f36fce2124b710333b62f68fbc751d77fc9241021005aee85150  2020-06-23-ynetz11.cab-from-fepz41.com.bin
  20. - f3b156a0c655135bbed201e6e4adad77b5a1206ee012cffe46878f987f59868e  2020-06-23-ynetz12.cab-from-fepz41.com.bin
  21. - 1990f9782ef6e8b522eb2408d88d44e50bea4e835603d2f9ef5c364f5f87a8d7  2020-06-23-ynetz1.cab-from-qqm9lv.com.bin
  22. - 88cad7a48e19736b1d8af04ef7f123ed5f474996d079e386be726f732002a1d2  2020-06-23-ynetz2.cab-from-qqm9lv.com.bin
  23. - 7ef591a8508a659d07b854dc7b1c41b60f85344c3ea92eb3c1fa75a2e9569f73  2020-06-23-ynetz3.cab-from-qqm9lv.com.bin
  24. - f0469a7ab901fdef63b3325e51bdbee90f84e04220d696cd3f05b0d45e7be1df  2020-06-23-ynetz4.cab-from-qqm9lv.com.bin
  25. - d8eaf97a48c9ebcee83d828f6663d346df5d0eec78a7bd747e3b4ebd4c1db585  2020-06-23-ynetz5.cab-from-qqm9lv.com.bin
  26. - 997099b25849798329f01362577d54552f8e1873d6dcdcb5c793a9b8ab03d49e  2020-06-23-ynetz6.cab-from-qqm9lv.com.bin
  27. - defe95da33663c83222c8babfaae1be9dead36307f0262f5e7ef1fdb7558f58b  2020-06-23-ynetz7.cab-from-qqm9lv.com.bin
  28. - 8f322ebc904053007907521620d29801d88a001b637a169b23ab43e21c41f5d3  2020-06-23-ynetz8.cab-from-qqm9lv.com.bin
  29. - 33d8d318615e1be0786491b676389eaeb2c9b9c798a2a5f1e45d4bb90bcd5bd5  2020-06-23-ynetz9.cab-from-qqm9lv.com.bin
  30. - 72107699b9a78db221c18ef69b9b9b8b160952a9f6f3b3ce62c4fcbf471b7aad  2020-06-23-ynetz10.cab-from-qqm9lv.com.bin
  31. - 7d63e38a8e8607c244f19377e78702db60f62765bb256dd4747ec1eb087eca4f  2020-06-23-ynetz11.cab-from-qqm9lv.com.bin
  32. - 32217c9d79352151d1f2ca4a9db647d7fdf66cd866db387a6d537f1c16311bc2  2020-06-23-ynetz12.cab-from-qqm9lv.com.bin
  33.  
  34. SCRIPT FILE FROM INFECTED WINDOWS HOST WHEN VALAK DLL WAS SUCCESSFULLY RUN:
  35.  
  36. - 1afcf5a12826605506aec192c985023c95918fb21f01e75e44b067f3c7596b4a  C:\Users\Public\VXoT_mDBJ.Wxa_X
  37.  
  38. SCRIPT FILE FROM INFECTED WINDOWS HOST USED TO KEEP VALAK INFECTION PERSISTENT:
  39.  
  40. -  c7d58120b99d7ef2f1d124168e49e2b20df6b96252b0e2474192c826d21a09e2 C:\Users\Public\WsuUpdate.js
  41.  
  42. FILE NAME USED FOR ALTERNATE DATA STREAM (ADS) TO HIDE FOLLOW-UP MALWARE:
  43.  
  44. - 9bb0eae6dbc37e2a6fe0773c92ce5409cd199ce3de2a0b41c159f3bdcc653a76   C:\Users\Public\WSUDIAG.EVTX (note: I did not find ADS with today's file)
  45.  
  46. VALAK MALWARE INFO:
  47.  
  48. - SOFT_SIG: mad34
  49. - SOFT_VERSION: 40
  50.  
  51. URLS FOR VALAK DLL:
  52.  
  53. - hxxp://fepz41[.]com/unbbmevd/d76.php?l=ynetz1.cab
  54. - hxxp://fepz41[.]com/unbbmevd/d76.php?l=ynetz2.cab
  55. - hxxp://fepz41[.]com/unbbmevd/d76.php?l=ynetz3.cab
  56. - hxxp://fepz41[.]com/unbbmevd/d76.php?l=ynetz4.cab
  57. - hxxp://fepz41[.]com/unbbmevd/d76.php?l=ynetz5.cab
  58. - hxxp://fepz41[.]com/unbbmevd/d76.php?l=ynetz6.cab
  59. - hxxp://fepz41[.]com/unbbmevd/d76.php?l=ynetz7.cab
  60. - hxxp://fepz41[.]com/unbbmevd/d76.php?l=ynetz8.cab
  61. - hxxp://fepz41[.]com/unbbmevd/d76.php?l=ynetz9.cab
  62. - hxxp://fepz41[.]com/unbbmevd/d76.php?l=ynetz10.cab
  63. - hxxp://fepz41[.]com/unbbmevd/d76.php?l=ynetz11.cab
  64. - hxxp://fepz41[.]com/unbbmevd/d76.php?l=ynetz12.cab
  65.  
  66. - hxxp://qqm9lv[.]com/unbbmevd/d76.php?l=ynetz1.cab
  67. - hxxp://qqm9lv[.]com/unbbmevd/d76.php?l=ynetz2.cab
  68. - hxxp://qqm9lv[.]com/unbbmevd/d76.php?l=ynetz3.cab
  69. - hxxp://qqm9lv[.]com/unbbmevd/d76.php?l=ynetz4.cab
  70. - hxxp://qqm9lv[.]com/unbbmevd/d76.php?l=ynetz5.cab
  71. - hxxp://qqm9lv[.]com/unbbmevd/d76.php?l=ynetz6.cab
  72. - hxxp://qqm9lv[.]com/unbbmevd/d76.php?l=ynetz7.cab
  73. - hxxp://qqm9lv[.]com/unbbmevd/d76.php?l=ynetz8.cab
  74. - hxxp://qqm9lv[.]com/unbbmevd/d76.php?l=ynetz9.cab
  75. - hxxp://qqm9lv[.]com/unbbmevd/d76.php?l=ynetz10.cab
  76. - hxxp://qqm9lv[.]com/unbbmevd/d76.php?l=ynetz11.cab
  77. - hxxp://qqm9lv[.]com/unbbmevd/d76.php?l=ynetz12.cab
  78.  
  79. DECOY DOMAINS USED DURING VALAK INFECTION:
  80.  
  81. - e87.dspb.akamaidege[.]net
  82. - insiderppe.cloudapp[.]net
  83. - pagead46.l.doubleclick[.]net
  84.  
  85. MALICIOUS DOMAINS USED DURING VALAK INFECTION:
  86.  
  87. - cloptio[.]com
  88. - 50kmission[.]com
  89. - fast-pacedworld[.]com
  90. - 82geod-misery[.]com
  91. - 76leof-nerve[.]com
  92. - 29degod-soil[.]com
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top