malware_traffic

2020-06-22 - Valak (mad33) infection with IcedID (Bokbot)

Jun 23rd, 2020
992
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-06-22 - VALAK (MAD33) INFECTION WITH ICEDID (BOKBOT)
  2.  
  3. EXAMPLES OF WORD DOCS WITH MACRO FOR VALAK:
  4.  
  5. - 042bfddedc517b98c438ddf49b6b5978e23c94f29f09f88272782d64d26f3bcc charge 06.20.doc
  6. - 3ebabc542a78fd0112c7431a08ff10588ddd3faf672fca556b88c6d4dd5cbc31 report.06.20.doc
  7. - 856e8ac644454a95bafd07383df000f40085fa87fa244cfb80ba5516f2b9c3cb direct.06.22.2020.doc
  8. - 3ba3b5890c821afdfae1d57eb7dfea5d220614b4d6392144523c7057e08cc121 documents 06.22.2020.doc
  9.  
  10. EXAMPLES OF INITIAL VALAK DLL FILES RETRIEVED BY WORD MACRO:
  11.  
  12. - 6c8642a6860671318c9fd77ee8978d7af3d06d876c302f9d9c08c56c44a9199f C:\ProgramData\1.dat
  13. - 90d8a7979d306223cf237b3b55c6c8bfc12e8785881846ba73bd26faf7e702af C:\ProgramData\1.dat
  14. - c723e0f7918a1f35d0f4a0ca53c123d5f15af3ec370c9596d516251bb6e6afbb C:\ProgramData\1.dat
  15. - 9e45ef202b4dbf13ebdf8d86fd0ab1644b1ff77f92a83e4c7ac2dc304ad5d99f C:\ProgramData\1.dat
  16. - 86372e5cae722d19c2596b5baf15d0edb5e7b72055252aae0aad26a86fd5580b C:\ProgramData\1.dat
  17. - d06593b7ae8887ff78da0f6dff7c3c3b3eaf57ca9138c201524d4f38296645ea C:\ProgramData\1.dat
  18. - 86372e5cae722d19c2596b5baf15d0edb5e7b72055252aae0aad26a86fd5580b C:\ProgramData\1.dat
  19. - a4de3e2fe233d3ebd52b557ff02f88f8c0272bfb6eb59c9786a0ceda3f8991ef C:\ProgramData\1.dat
  20. - 0f28653e65c4809cdfb4e5fff94dba511365805c52dd42e4e647a2a7267c3698 2020-06-22-oev1.cab-from-9nag0.com.bin
  21. - f1635ca01d44a64573c20621a36dc33248c783f023dbd8108ed5295400cb179e 2020-06-22-oev2.cab-from-9nag0.com.bin
  22. - 4797f3bec7b31086fd2aa9e27ef9dd23834a2890db87c23d54b596fe00b5795e 2020-06-22-oev3.cab-from-9nag0.com.bin
  23. - 9e6dd8292aed04e8b8afe6c8df8615f14cfc5f818c6808d2c977be654d3b640a 2020-06-22-oev4.cab-from-9nag0.com.bin
  24. - 87758a310e89c37ea157a0c30bb737e5e6d5f2481074be156f00a836782aebb8 2020-06-22-oev5.cab-from-9nag0.com.bin
  25. - bc8100624bcd1dfa9c72cc31c5970abd30b98d6a8be894761266603a137fcd6a 2020-06-22-oev6.cab-from-9nag0.com.bin
  26. - 7b08762254330e5ad10202ba41e6141b8dfb0bf3ed2ee7738bd5e55acc6186fc 2020-06-22-oev7.cab-from-9nag0.com.bin
  27. - fc6e12e30ad6261ca81b17b26d0d5fb46be253da312d84aa99a13e0e76d324d9 2020-06-22-oev8.cab-from-9nag0.com.bin
  28. - 88efee5ef80bb261c7f399e558e3f5b5d6b53c990d04762dc2d446249a7f74f5 2020-06-22-oev9.cab-from-9nag0.com.bin
  29.  
  30. SCRIPT FILE FROM INFECTED WINDOWS HOST WHEN VALAK DLL WAS SUCCESSFULLY RUN:
  31.  
  32. - 15f852e2c1de29c629f1ba8d7aa57fa32d2c498e21e55a04f6554cd604ec6290 C:\Users\Public\z_JnUjVxd.WKNEP
  33.  
  34. EXE USED DURING VALAK INFECTION:
  35.  
  36. - 8252a023a13fe22501d9bbd72afbe7d2707ba465e4ad3b4f65c0dc7eed8689be C:\Users\[username]\AppData\Local\Temp\e48826fc40.bin
  37.  
  38. SCRIPT FILE FROM INFECTED WINDOWS HOST USED TO KEEP VALAK INFECTION PERSISTENT:
  39.  
  40. - 036ad0e332df08a9ddfe9567dcf02b639e0c9b7f3672078602d38d3dcdd9043e C:\Users\Public\WsuUpdate.js
  41.  
  42. FILE NAME USED FOR ALTERNATE DATA STREAM (ADS) TO HIDE VALAK EXE:
  43.  
  44. - WSUDIAG.EVTX
  45.  
  46. FOLLOW-UP MALWARE (ICEDID INSTALLER) EXE HIDDEN IN ADS:
  47.  
  48. - 55086547bc8ae9789dcef1a2e9a33f428150d1e30ebb37cbeb4f4bea8b7f4830 C:\Users\Public\WSUDIAG.EVTX:af2ed04e
  49.  
  50. VALAK MALWARE INFO:
  51.  
  52. - SOFT_SIG: mad33
  53. - SOFT_VERSION: 40
  54.  
  55. ADDITIONAL ICEDID (BOKBOT) ARTIFACTS SEEN DURING VALAK INFECTION:
  56.  
  57. - f725ec307427416a6ca218ea6c709210190dcde58b99030480bd71cee3a83f28 ~268584562.exe
  58. - 765083ca225163018a682eeb32633c9746c45a9a4e58a5e61094836988de747b Eywuac32.exe
  59.  
  60. URLS FOR VALAK DLL:
  61.  
  62. - hxxp://5u2mr[.]com/unbbmevd/d76.php?l=oev1.cab
  63. - hxxp://5u2mr[.]com/unbbmevd/d76.php?l=oev2.cab
  64. - hxxp://5u2mr[.]com/unbbmevd/d76.php?l=oev3.cab
  65. - hxxp://5u2mr[.]com/unbbmevd/d76.php?l=oev4.cab
  66. - hxxp://5u2mr[.]com/unbbmevd/d76.php?l=oev5.cab
  67. - hxxp://5u2mr[.]com/unbbmevd/d76.php?l=oev6.cab
  68. - hxxp://5u2mr[.]com/unbbmevd/d76.php?l=oev7.cab
  69. - hxxp://5u2mr[.]com/unbbmevd/d76.php?l=oev8.cab
  70. - hxxp://5u2mr[.]com/unbbmevd/d76.php?l=oev9.cab
  71.  
  72. - hxxp://9nag0[.]com/unbbmevd/d76.php?l=oev1.cab
  73. - hxxp://9nag0[.]com/unbbmevd/d76.php?l=oev2.cab
  74. - hxxp://9nag0[.]com/unbbmevd/d76.php?l=oev3.cab
  75. - hxxp://9nag0[.]com/unbbmevd/d76.php?l=oev4.cab
  76. - hxxp://9nag0[.]com/unbbmevd/d76.php?l=oev5.cab
  77. - hxxp://9nag0[.]com/unbbmevd/d76.php?l=oev6.cab
  78. - hxxp://9nag0[.]com/unbbmevd/d76.php?l=oev7.cab
  79. - hxxp://9nag0[.]com/unbbmevd/d76.php?l=oev8.cab
  80. - hxxp://9nag0[.]com/unbbmevd/d76.php?l=oev9.cab
  81.  
  82. DECOY DOMAINS USED DURING VALAK INFECTION:
  83.  
  84. - e87.dspb.akamaidege[.]net
  85. - insiderppe.cloudapp[.]net
  86. - pagead46.l.doubleclick[.]net
  87.  
  88. MALICIOUS DOMAINS USED DURING VALAK INFECTION:
  89.  
  90. - srd-realestate[.]com
  91. - japanship247[.]com
  92. - wbgfreight[.]com
  93. - 000de9383sox0[.]com
  94. - 000odifu83[.]com
  95.  
  96. DOMAINS USED FOR ICEDID:
  97.  
  98. - load4th[.]casa
  99. - seeteator[.]best
  100. - frituator[.]top
  101. - plutiasitop[.]top
RAW Paste Data