2020-11-23 (Monday) - ZLoader infection with follow-up malwrae

1. 2020-11-23 (MONDAY) - ZLOADER (SILENT NIGHT) WITH FOLLOW-UP MALWARE
2.  
3. EXCEL SPREADSHEET:
4.  
5. - SHA256 hash: 2bbe02be545975fcf045b9036a3d78e6a67a3824c308cf4cb7fd647fc939b722
6. - File size: 42,496 bytes
7. - File name: 2371.xls
8. - File description: XLS spreadsheet with macro for ZLoader
9.  
10. ZLOADER MALWARE:
11.  
12. - SHA256 hash: 10ec4e9f67028d2bf9f5e42cb2918663436e21760a5f1e08950b19ac2745e48c
13. - File size: 352,768 bytes
14. - File location: hxxps://7cats[.]ch/logs.php
15. - File location: C:\Users\Public\Documents\Lbxrd.txt
16. - File location: C:\Users\[username]\AppData\Roaming\[random letters]\[random letters].dll
17. - File description: DLL for ZLoader retreived by Excel macros
18. - Run method: regsvr32.exe /s [filename]
19.  
20. HTTPS TRAFFIC CAUSED BY ZLOADER DLL:
21.  
22. - hxxps://orangeboxasia[.]com/wp-smarts.php
23.  
24. FOLLOW-UP MALWARE HOSTED ON:
25.  
26. - 172.67.168[.]212 port 443 (HTTPS) - geauverpalithinmyo[.]tk
27.  
28. FOLLOW-UP MALWARE:
29.  
30. - SHA256 hash: aeda13f046a4bd5994048e7ed26be65823484860ae9145014d40785850b1ab8a
31. - File size: 328,704 bytes
32. - File location: hxxps://eauverpalithinmyo[.]tk/[something]
33. - File location: C:\Users\[username]\AppData\Local\Temp\ser.EXE
34. - File description: EXE for follow-up malware (Cab file self-extractor)
35. - Example: https://app.any.run/tasks/81bccbc7-9ef1-482f-b308-0147ef255f4e
36.  
37. HTTPS TRAFFIC CAUSED BY FOLLOW-UP MALWARE:
38.  
39. - 188.127;235[.]163 port 443 (HTTPS) - 188.127;235[.]163 - POST /808/909.php?si=dW&ko=[long string of additional parameters]
40. - NOTE: See the any.run analysis to get an idea of the URL