Advertisement
MalwareBreakdown

07/20/2020: ZLoader Campaign IOCs

Jul 20th, 2020
14,864
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 0.80 KB | None | 0 0
  1. https://twitter.com/DynamicAnalysis/status/1285264183328673792
  2.  
  3. #ZLoader #malspam with .xls attachments.
  4.  
  5. Downloader URLs:
  6. hxxps://bdvan.com/wp-keys.php
  7. hxxps://atemschutzmasken-schutzmasken.de/wp-keys.php
  8. hxxps://bitcoincasinoreview.com/wp-keys.php
  9. hxxps://ballista.vn/wp-keys.php
  10.  
  11. C2s:
  12. https://33x.us/wp-parsing.php
  13. https://adealbox.com/wp-parsing.php
  14. https://aeronchairbyhermanmiller.com/wp-parsing.php
  15. https://bitvshe.club/wp-parsing.php
  16. https://bkk-wertgeschaetzt.de/wp-parsing.php
  17. https://buydeel.com/wp-parsing.php
  18. https://bothigolfscuron.tk/wp-parsing.php
  19. https://caixabanktalks-bancaprivada.agoranews.es/wp-parsing.php
  20. https://cardskool.com/wp-parsing.php
  21. https://cloudguchenleteli.gq/wp-parsing.php
  22.  
  23. .xls sample:
  24. https://app.any.run/tasks/3ec42809-fca8-42f9-b9c9-6bf45425e564#
  25.  
  26. .dll sample:
  27. https://app.any.run/tasks/735f5ec6-fb18-4c92-9d3f-bacf30a50083
  28. _____________________________________________________________________
  29.  
  30. Here is another .xls sample with a couple different downloader URLs:
  31.  
  32. https://ashok-poudel.com.np/wp-keys.php
  33. https://atemschutzmasken-schutzmasken.de/wp-keys.php
  34. https://aulaabierta.agoranews.es/wp-keys.php
  35. https://ballista.vn/wp-keys.php
  36.  
  37. .xls sample:
  38. https://app.any.run/tasks/f7878778-1305-4eb6-9215-f6f7acac4e85#
  39. _____________________________________________________________________
  40.  
  41. Additional information from @JasonMilletary (https://twitter.com/JasonMilletary/status/1285295845601087488)
  42.  
  43. Looks like they upgraded the minor version number from 1.3.27.0 to 1.4.27.0.
  44.  
  45. Also an additional C2 URL that gets added:
  46. https://tiawildlidapu.tk/wp-parsing.php
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement