malware_traffic

2020-11-23 (Monday) - ZLoader infection with follow-up malwrae

Nov 23rd, 2020
2,201
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-11-23 (MONDAY) - ZLOADER (SILENT NIGHT) WITH FOLLOW-UP MALWARE
  2.  
  3. EXCEL SPREADSHEET:
  4.  
  5. - SHA256 hash: 2bbe02be545975fcf045b9036a3d78e6a67a3824c308cf4cb7fd647fc939b722
  6. - File size: 42,496 bytes
  7. - File name: 2371.xls
  8. - File description: XLS spreadsheet with macro for ZLoader
  9.  
  10. ZLOADER MALWARE:
  11.  
  12. - SHA256 hash: 10ec4e9f67028d2bf9f5e42cb2918663436e21760a5f1e08950b19ac2745e48c
  13. - File size: 352,768 bytes
  14. - File location: hxxps://7cats[.]ch/logs.php
  15. - File location: C:\Users\Public\Documents\Lbxrd.txt
  16. - File location: C:\Users\[username]\AppData\Roaming\[random letters]\[random letters].dll
  17. - File description: DLL for ZLoader retreived by Excel macros
  18. - Run method: regsvr32.exe /s [filename]
  19.  
  20. HTTPS TRAFFIC CAUSED BY ZLOADER DLL:
  21.  
  22. - hxxps://orangeboxasia[.]com/wp-smarts.php
  23.  
  24. FOLLOW-UP MALWARE HOSTED ON:
  25.  
  26. - 172.67.168[.]212 port 443 (HTTPS) - geauverpalithinmyo[.]tk
  27.  
  28. FOLLOW-UP MALWARE:
  29.  
  30. - SHA256 hash: aeda13f046a4bd5994048e7ed26be65823484860ae9145014d40785850b1ab8a
  31. - File size: 328,704 bytes
  32. - File location: hxxps://eauverpalithinmyo[.]tk/[something]
  33. - File location: C:\Users\[username]\AppData\Local\Temp\ser.EXE
  34. - File description: EXE for follow-up malware (Cab file self-extractor)
  35. - Example: https://app.any.run/tasks/81bccbc7-9ef1-482f-b308-0147ef255f4e
  36.  
  37. HTTPS TRAFFIC CAUSED BY FOLLOW-UP MALWARE:
  38.  
  39. - 188.127;235[.]163 port 443 (HTTPS) - 188.127;235[.]163 - POST /808/909.php?si=dW&ko=[long string of additional parameters]
  40. - NOTE: See the any.run analysis to get an idea of the URL
RAW Paste Data