API tools faq
paste
malware_traffic

2020-06-22 - Valak (mad33) infection with IcedID (Bokbot)

malware_traffic
Jun 23rd, 2020
7,852
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.48 KB | None | 0 0
raw download clone embed print report
  1. 2020-06-22 - VALAK (MAD33) INFECTION WITH ICEDID (BOKBOT)
  2.  
  3. EXAMPLES OF WORD DOCS WITH MACRO FOR VALAK:
  4.  
  5. - 042bfddedc517b98c438ddf49b6b5978e23c94f29f09f88272782d64d26f3bcc charge 06.20.doc
  6. - 3ebabc542a78fd0112c7431a08ff10588ddd3faf672fca556b88c6d4dd5cbc31 report.06.20.doc
  7. - 856e8ac644454a95bafd07383df000f40085fa87fa244cfb80ba5516f2b9c3cb direct.06.22.2020.doc
  8. - 3ba3b5890c821afdfae1d57eb7dfea5d220614b4d6392144523c7057e08cc121 documents 06.22.2020.doc
  9.  
  10. EXAMPLES OF INITIAL VALAK DLL FILES RETRIEVED BY WORD MACRO:
  11.  
  12. - 6c8642a6860671318c9fd77ee8978d7af3d06d876c302f9d9c08c56c44a9199f C:\ProgramData\1.dat
  13. - 90d8a7979d306223cf237b3b55c6c8bfc12e8785881846ba73bd26faf7e702af C:\ProgramData\1.dat
  14. - c723e0f7918a1f35d0f4a0ca53c123d5f15af3ec370c9596d516251bb6e6afbb C:\ProgramData\1.dat
  15. - 9e45ef202b4dbf13ebdf8d86fd0ab1644b1ff77f92a83e4c7ac2dc304ad5d99f C:\ProgramData\1.dat
  16. - 86372e5cae722d19c2596b5baf15d0edb5e7b72055252aae0aad26a86fd5580b C:\ProgramData\1.dat
  17. - d06593b7ae8887ff78da0f6dff7c3c3b3eaf57ca9138c201524d4f38296645ea C:\ProgramData\1.dat
  18. - 86372e5cae722d19c2596b5baf15d0edb5e7b72055252aae0aad26a86fd5580b C:\ProgramData\1.dat
  19. - a4de3e2fe233d3ebd52b557ff02f88f8c0272bfb6eb59c9786a0ceda3f8991ef C:\ProgramData\1.dat
  20. - 0f28653e65c4809cdfb4e5fff94dba511365805c52dd42e4e647a2a7267c3698 2020-06-22-oev1.cab-from-9nag0.com.bin
  21. - f1635ca01d44a64573c20621a36dc33248c783f023dbd8108ed5295400cb179e 2020-06-22-oev2.cab-from-9nag0.com.bin
  22. - 4797f3bec7b31086fd2aa9e27ef9dd23834a2890db87c23d54b596fe00b5795e 2020-06-22-oev3.cab-from-9nag0.com.bin
  23. - 9e6dd8292aed04e8b8afe6c8df8615f14cfc5f818c6808d2c977be654d3b640a 2020-06-22-oev4.cab-from-9nag0.com.bin
  24. - 87758a310e89c37ea157a0c30bb737e5e6d5f2481074be156f00a836782aebb8 2020-06-22-oev5.cab-from-9nag0.com.bin
  25. - bc8100624bcd1dfa9c72cc31c5970abd30b98d6a8be894761266603a137fcd6a 2020-06-22-oev6.cab-from-9nag0.com.bin
  26. - 7b08762254330e5ad10202ba41e6141b8dfb0bf3ed2ee7738bd5e55acc6186fc 2020-06-22-oev7.cab-from-9nag0.com.bin
  27. - fc6e12e30ad6261ca81b17b26d0d5fb46be253da312d84aa99a13e0e76d324d9 2020-06-22-oev8.cab-from-9nag0.com.bin
  28. - 88efee5ef80bb261c7f399e558e3f5b5d6b53c990d04762dc2d446249a7f74f5 2020-06-22-oev9.cab-from-9nag0.com.bin
  29.  
  30. SCRIPT FILE FROM INFECTED WINDOWS HOST WHEN VALAK DLL WAS SUCCESSFULLY RUN:
  31.  
  32. - 15f852e2c1de29c629f1ba8d7aa57fa32d2c498e21e55a04f6554cd604ec6290 C:\Users\Public\z_JnUjVxd.WKNEP
  33.  
  34. EXE USED DURING VALAK INFECTION:
  35.  
  36. - 8252a023a13fe22501d9bbd72afbe7d2707ba465e4ad3b4f65c0dc7eed8689be C:\Users\[username]\AppData\Local\Temp\e48826fc40.bin
  37.  
  38. SCRIPT FILE FROM INFECTED WINDOWS HOST USED TO KEEP VALAK INFECTION PERSISTENT:
  39.  
  40. - 036ad0e332df08a9ddfe9567dcf02b639e0c9b7f3672078602d38d3dcdd9043e C:\Users\Public\WsuUpdate.js
  41.  
  42. FILE NAME USED FOR ALTERNATE DATA STREAM (ADS) TO HIDE VALAK EXE:
  43.  
  44. - WSUDIAG.EVTX
  45.  
  46. FOLLOW-UP MALWARE (ICEDID INSTALLER) EXE HIDDEN IN ADS:
  47.  
  48. - 55086547bc8ae9789dcef1a2e9a33f428150d1e30ebb37cbeb4f4bea8b7f4830 C:\Users\Public\WSUDIAG.EVTX:af2ed04e
  49.  
  50. VALAK MALWARE INFO:
  51.  
  52. - SOFT_SIG: mad33
  53. - SOFT_VERSION: 40
  54.  
  55. ADDITIONAL ICEDID (BOKBOT) ARTIFACTS SEEN DURING VALAK INFECTION:
  56.  
  57. - f725ec307427416a6ca218ea6c709210190dcde58b99030480bd71cee3a83f28 ~268584562.exe
  58. - 765083ca225163018a682eeb32633c9746c45a9a4e58a5e61094836988de747b Eywuac32.exe
  59.  
  60. URLS FOR VALAK DLL:
  61.  
  62. - hxxp://5u2mr[.]com/unbbmevd/d76.php?l=oev1.cab
  63. - hxxp://5u2mr[.]com/unbbmevd/d76.php?l=oev2.cab
  64. - hxxp://5u2mr[.]com/unbbmevd/d76.php?l=oev3.cab
  65. - hxxp://5u2mr[.]com/unbbmevd/d76.php?l=oev4.cab
  66. - hxxp://5u2mr[.]com/unbbmevd/d76.php?l=oev5.cab
  67. - hxxp://5u2mr[.]com/unbbmevd/d76.php?l=oev6.cab
  68. - hxxp://5u2mr[.]com/unbbmevd/d76.php?l=oev7.cab
  69. - hxxp://5u2mr[.]com/unbbmevd/d76.php?l=oev8.cab
  70. - hxxp://5u2mr[.]com/unbbmevd/d76.php?l=oev9.cab
  71.  
  72. - hxxp://9nag0[.]com/unbbmevd/d76.php?l=oev1.cab
  73. - hxxp://9nag0[.]com/unbbmevd/d76.php?l=oev2.cab
  74. - hxxp://9nag0[.]com/unbbmevd/d76.php?l=oev3.cab
  75. - hxxp://9nag0[.]com/unbbmevd/d76.php?l=oev4.cab
  76. - hxxp://9nag0[.]com/unbbmevd/d76.php?l=oev5.cab
  77. - hxxp://9nag0[.]com/unbbmevd/d76.php?l=oev6.cab
  78. - hxxp://9nag0[.]com/unbbmevd/d76.php?l=oev7.cab
  79. - hxxp://9nag0[.]com/unbbmevd/d76.php?l=oev8.cab
  80. - hxxp://9nag0[.]com/unbbmevd/d76.php?l=oev9.cab
  81.  
  82. DECOY DOMAINS USED DURING VALAK INFECTION:
  83.  
  84. - e87.dspb.akamaidege[.]net
  85. - insiderppe.cloudapp[.]net
  86. - pagead46.l.doubleclick[.]net
  87.  
  88. MALICIOUS DOMAINS USED DURING VALAK INFECTION:
  89.  
  90. - srd-realestate[.]com
  91. - japanship247[.]com
  92. - wbgfreight[.]com
  93. - 000de9383sox0[.]com
  94. - 000odifu83[.]com
  95.  
  96. DOMAINS USED FOR ICEDID:
  97.  
  98. - load4th[.]casa
  99. - seeteator[.]best
  100. - frituator[.]top
  101. - plutiasitop[.]top
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!