Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2020-11-23 (MONDAY) - ZLOADER (SILENT NIGHT) WITH FOLLOW-UP MALWARE
- EXCEL SPREADSHEET:
- - SHA256 hash: 2bbe02be545975fcf045b9036a3d78e6a67a3824c308cf4cb7fd647fc939b722
- - File size: 42,496 bytes
- - File name: 2371.xls
- - File description: XLS spreadsheet with macro for ZLoader
- ZLOADER MALWARE:
- - SHA256 hash: 10ec4e9f67028d2bf9f5e42cb2918663436e21760a5f1e08950b19ac2745e48c
- - File size: 352,768 bytes
- - File location: hxxps://7cats[.]ch/logs.php
- - File location: C:\Users\Public\Documents\Lbxrd.txt
- - File location: C:\Users\[username]\AppData\Roaming\[random letters]\[random letters].dll
- - File description: DLL for ZLoader retreived by Excel macros
- - Run method: regsvr32.exe /s [filename]
- HTTPS TRAFFIC CAUSED BY ZLOADER DLL:
- - hxxps://orangeboxasia[.]com/wp-smarts.php
- FOLLOW-UP MALWARE HOSTED ON:
- - 172.67.168[.]212 port 443 (HTTPS) - geauverpalithinmyo[.]tk
- FOLLOW-UP MALWARE:
- - SHA256 hash: aeda13f046a4bd5994048e7ed26be65823484860ae9145014d40785850b1ab8a
- - File size: 328,704 bytes
- - File location: hxxps://eauverpalithinmyo[.]tk/[something]
- - File location: C:\Users\[username]\AppData\Local\Temp\ser.EXE
- - File description: EXE for follow-up malware (Cab file self-extractor)
- - Example: https://app.any.run/tasks/81bccbc7-9ef1-482f-b308-0147ef255f4e
- HTTPS TRAFFIC CAUSED BY FOLLOW-UP MALWARE:
- - 188.127;235[.]163 port 443 (HTTPS) - 188.127;235[.]163 - POST /808/909.php?si=dW&ko=[long string of additional parameters]
- - NOTE: See the any.run analysis to get an idea of the URL
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement