malware_traffic

2020-10-05 (Monday) DHL-themed malspam pushes Dridex

Oct 5th, 2020
1,528
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-10-05 (MONDAY) - DHL-THEMED MALSPAM PUSHING DRIDEX
  2.  
  3. NOTE:
  4.  
  5. - Also found some UPS-themed spreadsheets similar to the DHL-themed spreadsheets with a creation date of today (Monday 2020-10-05) that also appear to be pushing Dridex.
  6.  
  7. - Saw a few tweets about the UPS-themed spreadsheets, but nothing yet tweeted about today's DHL-themed spreadsheet as I write this.
  8.  
  9. HEADER DATA FROM 6 EMAIL EXAMPLES:
  10.  
  11. - Date: Mon, 5 Oct 2020 13:39:17 -0500
  12. - Date: Mon, 5 Oct 2020 20:40:00 +0200
  13. - Date: Mon, 5 Oct 2020 19:40:27 +0100
  14. - Date: Mon, 5 Oct 2020 19:56:08 +0100
  15. - Date: Mon, 5 Oct 2020 20:12:15 +0100
  16. - Date: Mon, 5 Oct 2020 20:12:25 +0100
  17.  
  18. - From: "BGY HUB (DHL Express)" <byihubimport2@dhl.com>
  19. - From: "BGY HUB IMPORT (DHL Express)" <bcxhubimport@dhl.com>
  20. - From: <bzp.hubimport@dhl.com> (DHL Express)
  21. - From: <dhldb.billing@dhl.com> (DHL)
  22. - From: <dhldz.billing@dhl.com> (DHL)
  23. - From: <dhlev.billing@dhl.com> (DHL)
  24.  
  25. - Subject: DHL corresponding documents
  26. - Subject: DHL Documents
  27. - Subject: DHL Documents BL:CI
  28. - Subject: DHL letter
  29. - Subject: DHL ; S1800662341_H0064673
  30. - Subject: DHL: copy of document
  31.  
  32. - Attachment name: 75L6179073748.xlsm
  33. - Attachment name: AG85506156603.xlsm
  34. - Attachment name: KCJ5879841232.xlsm
  35. - Attachment name: MOQ0422378326.xlsm
  36. - Attachment name: QI61760164910.xlsm
  37. - Attachment name: Y934959908266.xlsm
  38.  
  39. - NOTE: Unfortunately, I was unable to get copies of the XLS files listed above.
  40.  
  41. XLSM FILES RETRIEVED FROM VT:
  42.  
  43. 0d2ce5b6530a0fefbffb231b37c6895bfe7057f48aa0d26f33d45b453eaa70f3 (DHL-themed)
  44. b85c5aa2f69b3d2ce8f261b3c527bd08f215b0c54c0b5c13a5fa30ec2aabbefb (UPS-themed)
  45.  
  46. 2 URLS FOUND FROM EXCEL MACROS:
  47.  
  48. - hxxps://vardhmanproducts[.]com/o30c332m.zip
  49. - hxxps://www.enserve[.]co[.]uk/j50t68q.rar
  50.  
  51. MALWARE FROM AN INFECTED WINDOWS HOST (FROM DHL-THEMED SPREADSHEET)
  52.  
  53. - SHA256 hash: a8b125a1162491b5a6d0a4372aea196007ba8f96ea4dfcda4c05ad5a65d03378
  54. - File size: 398,336 bytes
  55. - File location: hxxps://vardhmanproducts[.]com/o30c332m.zip
  56. - File location: C:\jCYsnV\ibQRmAm\xsDxVmD
  57. - File description: Initial DLL to install Dridex
  58. - Run method: regsvr32.exe -s C:\jCYsnV\ibQRmAm\xsDxVmD.
  59.  
  60. - SHA256 hash: 0af6a9cb3602aa9ffedf2e1d74be000ac25d9150ea66caf8e7587fa62ab683af
  61. - File size: 1,018,368 bytes
  62. - File location: C:\Users\[username]\AppData\Roaming\[random file path]\MFC42u.dll
  63. - File description: 64-bit Dridex DLL, run by copy of legitimate system file in the same directory
  64.  
  65. - SHA256 hash: 6749704357d37c8bdbb098bc65163af039c33172bc7e71b90f5383d6eda3f756
  66. - File size: 995,328 bytes
  67. - File location: C:\Users\[username]\AppData\Roaming\[random file path]\WINMM.dll
  68. - File description: 64-bit Dridex DLL, run by copy of legitimate system file in the same directory
  69.  
  70. - SHA256 hash: 6535748918cf07f4e1bd77f71c5cdce283a20cffb44e94731a9c2962fece57cf
  71. - File size: 990,720 bytes
  72. - File location: C:\Users\[username]\AppData\Roaming\[random file path]\XmlLite.dll
  73. - File description: 64-bit Dridex DLL, run by copy of legitimate system file in the same directory
  74.  
RAW Paste Data