Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2020-06-22 - VALAK (MAD33) INFECTION WITH ICEDID (BOKBOT)
- EXAMPLES OF WORD DOCS WITH MACRO FOR VALAK:
- - 042bfddedc517b98c438ddf49b6b5978e23c94f29f09f88272782d64d26f3bcc charge 06.20.doc
- - 3ebabc542a78fd0112c7431a08ff10588ddd3faf672fca556b88c6d4dd5cbc31 report.06.20.doc
- - 856e8ac644454a95bafd07383df000f40085fa87fa244cfb80ba5516f2b9c3cb direct.06.22.2020.doc
- - 3ba3b5890c821afdfae1d57eb7dfea5d220614b4d6392144523c7057e08cc121 documents 06.22.2020.doc
- EXAMPLES OF INITIAL VALAK DLL FILES RETRIEVED BY WORD MACRO:
- - 6c8642a6860671318c9fd77ee8978d7af3d06d876c302f9d9c08c56c44a9199f C:\ProgramData\1.dat
- - 90d8a7979d306223cf237b3b55c6c8bfc12e8785881846ba73bd26faf7e702af C:\ProgramData\1.dat
- - c723e0f7918a1f35d0f4a0ca53c123d5f15af3ec370c9596d516251bb6e6afbb C:\ProgramData\1.dat
- - 9e45ef202b4dbf13ebdf8d86fd0ab1644b1ff77f92a83e4c7ac2dc304ad5d99f C:\ProgramData\1.dat
- - 86372e5cae722d19c2596b5baf15d0edb5e7b72055252aae0aad26a86fd5580b C:\ProgramData\1.dat
- - d06593b7ae8887ff78da0f6dff7c3c3b3eaf57ca9138c201524d4f38296645ea C:\ProgramData\1.dat
- - 86372e5cae722d19c2596b5baf15d0edb5e7b72055252aae0aad26a86fd5580b C:\ProgramData\1.dat
- - a4de3e2fe233d3ebd52b557ff02f88f8c0272bfb6eb59c9786a0ceda3f8991ef C:\ProgramData\1.dat
- - 0f28653e65c4809cdfb4e5fff94dba511365805c52dd42e4e647a2a7267c3698 2020-06-22-oev1.cab-from-9nag0.com.bin
- - f1635ca01d44a64573c20621a36dc33248c783f023dbd8108ed5295400cb179e 2020-06-22-oev2.cab-from-9nag0.com.bin
- - 4797f3bec7b31086fd2aa9e27ef9dd23834a2890db87c23d54b596fe00b5795e 2020-06-22-oev3.cab-from-9nag0.com.bin
- - 9e6dd8292aed04e8b8afe6c8df8615f14cfc5f818c6808d2c977be654d3b640a 2020-06-22-oev4.cab-from-9nag0.com.bin
- - 87758a310e89c37ea157a0c30bb737e5e6d5f2481074be156f00a836782aebb8 2020-06-22-oev5.cab-from-9nag0.com.bin
- - bc8100624bcd1dfa9c72cc31c5970abd30b98d6a8be894761266603a137fcd6a 2020-06-22-oev6.cab-from-9nag0.com.bin
- - 7b08762254330e5ad10202ba41e6141b8dfb0bf3ed2ee7738bd5e55acc6186fc 2020-06-22-oev7.cab-from-9nag0.com.bin
- - fc6e12e30ad6261ca81b17b26d0d5fb46be253da312d84aa99a13e0e76d324d9 2020-06-22-oev8.cab-from-9nag0.com.bin
- - 88efee5ef80bb261c7f399e558e3f5b5d6b53c990d04762dc2d446249a7f74f5 2020-06-22-oev9.cab-from-9nag0.com.bin
- SCRIPT FILE FROM INFECTED WINDOWS HOST WHEN VALAK DLL WAS SUCCESSFULLY RUN:
- - 15f852e2c1de29c629f1ba8d7aa57fa32d2c498e21e55a04f6554cd604ec6290 C:\Users\Public\z_JnUjVxd.WKNEP
- EXE USED DURING VALAK INFECTION:
- - 8252a023a13fe22501d9bbd72afbe7d2707ba465e4ad3b4f65c0dc7eed8689be C:\Users\[username]\AppData\Local\Temp\e48826fc40.bin
- SCRIPT FILE FROM INFECTED WINDOWS HOST USED TO KEEP VALAK INFECTION PERSISTENT:
- - 036ad0e332df08a9ddfe9567dcf02b639e0c9b7f3672078602d38d3dcdd9043e C:\Users\Public\WsuUpdate.js
- FILE NAME USED FOR ALTERNATE DATA STREAM (ADS) TO HIDE VALAK EXE:
- - WSUDIAG.EVTX
- FOLLOW-UP MALWARE (ICEDID INSTALLER) EXE HIDDEN IN ADS:
- - 55086547bc8ae9789dcef1a2e9a33f428150d1e30ebb37cbeb4f4bea8b7f4830 C:\Users\Public\WSUDIAG.EVTX:af2ed04e
- VALAK MALWARE INFO:
- - SOFT_SIG: mad33
- - SOFT_VERSION: 40
- ADDITIONAL ICEDID (BOKBOT) ARTIFACTS SEEN DURING VALAK INFECTION:
- - f725ec307427416a6ca218ea6c709210190dcde58b99030480bd71cee3a83f28 ~268584562.exe
- - 765083ca225163018a682eeb32633c9746c45a9a4e58a5e61094836988de747b Eywuac32.exe
- URLS FOR VALAK DLL:
- - hxxp://5u2mr[.]com/unbbmevd/d76.php?l=oev1.cab
- - hxxp://5u2mr[.]com/unbbmevd/d76.php?l=oev2.cab
- - hxxp://5u2mr[.]com/unbbmevd/d76.php?l=oev3.cab
- - hxxp://5u2mr[.]com/unbbmevd/d76.php?l=oev4.cab
- - hxxp://5u2mr[.]com/unbbmevd/d76.php?l=oev5.cab
- - hxxp://5u2mr[.]com/unbbmevd/d76.php?l=oev6.cab
- - hxxp://5u2mr[.]com/unbbmevd/d76.php?l=oev7.cab
- - hxxp://5u2mr[.]com/unbbmevd/d76.php?l=oev8.cab
- - hxxp://5u2mr[.]com/unbbmevd/d76.php?l=oev9.cab
- - hxxp://9nag0[.]com/unbbmevd/d76.php?l=oev1.cab
- - hxxp://9nag0[.]com/unbbmevd/d76.php?l=oev2.cab
- - hxxp://9nag0[.]com/unbbmevd/d76.php?l=oev3.cab
- - hxxp://9nag0[.]com/unbbmevd/d76.php?l=oev4.cab
- - hxxp://9nag0[.]com/unbbmevd/d76.php?l=oev5.cab
- - hxxp://9nag0[.]com/unbbmevd/d76.php?l=oev6.cab
- - hxxp://9nag0[.]com/unbbmevd/d76.php?l=oev7.cab
- - hxxp://9nag0[.]com/unbbmevd/d76.php?l=oev8.cab
- - hxxp://9nag0[.]com/unbbmevd/d76.php?l=oev9.cab
- DECOY DOMAINS USED DURING VALAK INFECTION:
- - e87.dspb.akamaidege[.]net
- - insiderppe.cloudapp[.]net
- - pagead46.l.doubleclick[.]net
- MALICIOUS DOMAINS USED DURING VALAK INFECTION:
- - srd-realestate[.]com
- - japanship247[.]com
- - wbgfreight[.]com
- - 000de9383sox0[.]com
- - 000odifu83[.]com
- DOMAINS USED FOR ICEDID:
- - load4th[.]casa
- - seeteator[.]best
- - frituator[.]top
- - plutiasitop[.]top
Add Comment
Please, Sign In to add comment