malware_traffic

2020-10-05 (Monday) DHL-themed malspam pushes Dridex

Oct 5th, 2020
2,099
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-10-05 (MONDAY) - DHL-THEMED MALSPAM PUSHING DRIDEX
  2.  
  3. NOTE:
  4.  
  5. - Also found some UPS-themed spreadsheets similar to the DHL-themed spreadsheets with a creation date of today (Monday 2020-10-05) that also appear to be pushing Dridex.
  6.  
  7. - Saw a few tweets about the UPS-themed spreadsheets, but nothing yet tweeted about today's DHL-themed spreadsheet as I write this.
  8.  
  9. HEADER DATA FROM 6 EMAIL EXAMPLES:
  10.  
  11. - Date: Mon, 5 Oct 2020 13:39:17 -0500
  12. - Date: Mon, 5 Oct 2020 20:40:00 +0200
  13. - Date: Mon, 5 Oct 2020 19:40:27 +0100
  14. - Date: Mon, 5 Oct 2020 19:56:08 +0100
  15. - Date: Mon, 5 Oct 2020 20:12:15 +0100
  16. - Date: Mon, 5 Oct 2020 20:12:25 +0100
  17.  
  18. - From: "BGY HUB (DHL Express)" <byihubimport2@dhl.com>
  19. - From: "BGY HUB IMPORT (DHL Express)" <bcxhubimport@dhl.com>
  20. - From: <bzp.hubimport@dhl.com> (DHL Express)
  21. - From: <dhldb.billing@dhl.com> (DHL)
  22. - From: <dhldz.billing@dhl.com> (DHL)
  23. - From: <dhlev.billing@dhl.com> (DHL)
  24.  
  25. - Subject: DHL corresponding documents
  26. - Subject: DHL Documents
  27. - Subject: DHL Documents BL:CI
  28. - Subject: DHL letter
  29. - Subject: DHL ; S1800662341_H0064673
  30. - Subject: DHL: copy of document
  31.  
  32. - Attachment name: 75L6179073748.xlsm
  33. - Attachment name: AG85506156603.xlsm
  34. - Attachment name: KCJ5879841232.xlsm
  35. - Attachment name: MOQ0422378326.xlsm
  36. - Attachment name: QI61760164910.xlsm
  37. - Attachment name: Y934959908266.xlsm
  38.  
  39. - NOTE: Unfortunately, I was unable to get copies of the XLS files listed above.
  40.  
  41. XLSM FILES RETRIEVED FROM VT:
  42.  
  43. 0d2ce5b6530a0fefbffb231b37c6895bfe7057f48aa0d26f33d45b453eaa70f3 (DHL-themed)
  44. b85c5aa2f69b3d2ce8f261b3c527bd08f215b0c54c0b5c13a5fa30ec2aabbefb (UPS-themed)
  45.  
  46. 2 URLS FOUND FROM EXCEL MACROS:
  47.  
  48. - hxxps://vardhmanproducts[.]com/o30c332m.zip
  49. - hxxps://www.enserve[.]co[.]uk/j50t68q.rar
  50.  
  51. MALWARE FROM AN INFECTED WINDOWS HOST (FROM DHL-THEMED SPREADSHEET)
  52.  
  53. - SHA256 hash: a8b125a1162491b5a6d0a4372aea196007ba8f96ea4dfcda4c05ad5a65d03378
  54. - File size: 398,336 bytes
  55. - File location: hxxps://vardhmanproducts[.]com/o30c332m.zip
  56. - File location: C:\jCYsnV\ibQRmAm\xsDxVmD
  57. - File description: Initial DLL to install Dridex
  58. - Run method: regsvr32.exe -s C:\jCYsnV\ibQRmAm\xsDxVmD.
  59.  
  60. - SHA256 hash: 0af6a9cb3602aa9ffedf2e1d74be000ac25d9150ea66caf8e7587fa62ab683af
  61. - File size: 1,018,368 bytes
  62. - File location: C:\Users\[username]\AppData\Roaming\[random file path]\MFC42u.dll
  63. - File description: 64-bit Dridex DLL, run by copy of legitimate system file in the same directory
  64.  
  65. - SHA256 hash: 6749704357d37c8bdbb098bc65163af039c33172bc7e71b90f5383d6eda3f756
  66. - File size: 995,328 bytes
  67. - File location: C:\Users\[username]\AppData\Roaming\[random file path]\WINMM.dll
  68. - File description: 64-bit Dridex DLL, run by copy of legitimate system file in the same directory
  69.  
  70. - SHA256 hash: 6535748918cf07f4e1bd77f71c5cdce283a20cffb44e94731a9c2962fece57cf
  71. - File size: 990,720 bytes
  72. - File location: C:\Users\[username]\AppData\Roaming\[random file path]\XmlLite.dll
  73. - File description: 64-bit Dridex DLL, run by copy of legitimate system file in the same directory
  74.  
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×