malware_traffic

2020-11-23 (Monday) - ZLoader infection with follow-up malwrae

Nov 23rd, 2020
2,010
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-11-23 (MONDAY) - ZLOADER (SILENT NIGHT) WITH FOLLOW-UP MALWARE
  2.  
  3. EXCEL SPREADSHEET:
  4.  
  5. - SHA256 hash: 2bbe02be545975fcf045b9036a3d78e6a67a3824c308cf4cb7fd647fc939b722
  6. - File size: 42,496 bytes
  7. - File name: 2371.xls
  8. - File description: XLS spreadsheet with macro for ZLoader
  9.  
  10. ZLOADER MALWARE:
  11.  
  12. - SHA256 hash: 10ec4e9f67028d2bf9f5e42cb2918663436e21760a5f1e08950b19ac2745e48c
  13. - File size: 352,768 bytes
  14. - File location: hxxps://7cats[.]ch/logs.php
  15. - File location: C:\Users\Public\Documents\Lbxrd.txt
  16. - File location: C:\Users\[username]\AppData\Roaming\[random letters]\[random letters].dll
  17. - File description: DLL for ZLoader retreived by Excel macros
  18. - Run method: regsvr32.exe /s [filename]
  19.  
  20. HTTPS TRAFFIC CAUSED BY ZLOADER DLL:
  21.  
  22. - hxxps://orangeboxasia[.]com/wp-smarts.php
  23.  
  24. FOLLOW-UP MALWARE HOSTED ON:
  25.  
  26. - 172.67.168[.]212 port 443 (HTTPS) - geauverpalithinmyo[.]tk
  27.  
  28. FOLLOW-UP MALWARE:
  29.  
  30. - SHA256 hash: aeda13f046a4bd5994048e7ed26be65823484860ae9145014d40785850b1ab8a
  31. - File size: 328,704 bytes
  32. - File location: hxxps://eauverpalithinmyo[.]tk/[something]
  33. - File location: C:\Users\[username]\AppData\Local\Temp\ser.EXE
  34. - File description: EXE for follow-up malware (Cab file self-extractor)
  35. - Example: https://app.any.run/tasks/81bccbc7-9ef1-482f-b308-0147ef255f4e
  36.  
  37. HTTPS TRAFFIC CAUSED BY FOLLOW-UP MALWARE:
  38.  
  39. - 188.127;235[.]163 port 443 (HTTPS) - 188.127;235[.]163 - POST /808/909.php?si=dW&ko=[long string of additional parameters]
  40. - NOTE: See the any.run analysis to get an idea of the URL
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×