Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- THREAT ATTRIBUTION: ZLOADER
- SUBJECTS OBSERVED
- Chat follow-up email with Agreement for Services
- Detailed Invoice Number 1482
- SENDERS OBSERVED
- eorpwulf_traol@aol[.]com
- oteof[.]rigor@aol[.]com
- EXCEL FILE NAMES
- ta1482[.]xls
- py9350[.]xls
- EXCEL FILE HASHES
- bf149abab587514619125c2ec3f54ac4
- ef74d2b888b8acc039e25f6494d98064
- ZLOADER PAYLOAD URLs
- hxxps://channelmelabd[.]com/wp-keys[.]php
- hxxps://ezy[.]id/wp-keys[.]php
- hxxps://fuefutingtourmomi[.]tk/wp-index[.]php
- hxxps://ksuengineering[.]com/wp-keys[.]php
- hxxps://laserdoctor[.]com[.]br/wp-keys[.]php
- hxxps://luckyprizewon[.]xyz/wp-index[.]php
- hxxps://modifikasi[.]xyz/wp-index[.]php
- hxxps://sympmatidoorslo[.]tk/wp-index[.]php
- ZLOADER C2s
- hxxps://96bkj[.]cn/wp-parsing[.]php
- hxxps://billibazar[.]com/wp-parsing[.]php
- hxxps://desigrocer[.]com/wp-parsing[.]php
- hxxps://hhbiao[.]com/wp-parsing[.]php
- hxxps://i9a[.]cn/wp-parsing[.]php
- hxxps://nedinilorreca[.]tk/wp-parsing[.]php
- hxxps://nieguanabchisibi[.]cf/wp-parsing[.]php
- hxxps://th[.]plus/wp-parsing[.]php
- hxxps://web[.]job2go[.]net/wp-parsing[.]php
- SUPPORTING EVIDENCE
- I opened the malicious documents in my lab and captured the IOCs dynamically.
- Also:
- hxxps://twitter[.]com/DynamicAnalysis/status/1291059343517986816
Add Comment
Please, Sign In to add comment