Ledger Nano X - The secure hardware wallet
SHARE
TWEET

2020-05-22 - malspam with zip files pushes Valak with IcedID

malware_traffic May 22nd, 2020 (edited) 1,280 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. FRIDAY 2020-05-22 - MALSPAM WITH PASSWORD PROTECTED ZIP ATTACHMENTS PUSHES VALAK WITH ICEDID
  2.  
  3. SHA256 HASHES OF THREE EMAILS FROM 2020-05-22 SUBMITTED TO VIRUSTOTAL:
  4.  
  5. - 256f19fdd6c32727ee0f7a515e0a75a85ad8ceeb8a508dbab3b92e55e908ab2c
  6. - 653426a56593eae5f209da871ec756f9ecb4d2252305b4c37d0419ff358c1694
  7. - a9c0a6f4647f367dbb841e8b15d72967ef3926ba5339849cb883a888d6561d16
  8.  
  9. ZIP ARCHIVES HAVE PASSWORDS OF 5 ALPHA-NUMERIC CHARACTERS, EXAMPLES:
  10.  
  11. - 7d072a55d43ee84b07a9f70abc157e8c0701feb95d07ade102903ffeff2628ed  Adam_signs.zip  password: 876HK
  12. - c24fdcfa1c646c6ed92e5ae05a3bec484aab7b5c955200da14f9a2845a71c7f4  AngelDough.zip  password: 847RT
  13. - 161c1dca59c023c355b3597a27ac786a3ecc9028da3a2216f57166477b4ebc47  Art_Skills.zip  password: 847RT
  14. - 2f146c1f4b495544c857d8e39b81daee7a637f6455bb9d0b50830e3a33a3400f  Sunrise.zip     password: 990ES
  15.  
  16. SOME FILE HASHES FOR WORD DOCS EXTRACTED FROM THE PASSWORD-PROTECTED ZIP ARCHIVES:
  17.  
  18. - 41d49550c06245f705fa556c593ff807aa09eed7537ef415a9d33c8810319cb6  adjure,05.20.doc
  19. - 33ab195dfd8e509ffb4202d4ecb2da421fb920d403ff44e47a72b96117324d8e  certificate 05.20.doc
  20. - 5741a7071b0f60d3626563760d2ea107063e924da9a3d1c485934ff56e36b8ab  certificate0520.doc
  21. - 302c5feafed580517646fbd263c456f314b805a29c750e91801af959247c7f71  command 05.22.2020.doc
  22. - fcc223993f7314a76f6308e11071a8b823f95223d69c9427f5be1b70d7cad018  commerce _05.22.2020.doc
  23. - c0c7b9023461b997325db5b38211207628519a27b2a6997c62a70958a3390042  dictate_05.20.doc
  24. - 0c0261e99cbb77022029ee776c8b5a832a1b96b4b3df820fbf8ac3228738e998  docs.05.22.2020.doc
  25. - 02713f219cf4a902a482c25d557f90a6be8669d75f81133a32ba55d826d14164  document-05.20.doc
  26. - e61d3c1e61777a1611499315d1a702a514766df9eb9c7b0c944654593d333513  document_05.22.2020.doc
  27. - 6882e9e63cee8f0c509965ba19e87a5527014ea9348b33101809916d8da6acb8  facts,05.20.doc
  28. - cd9385a684b236a08b4058e2e5fc71ee39c47f5fafee1cd0dc3ea017c9cc2aa7  figures-05.20.doc
  29. - 41e7f7f838ff0bcb6067be8810ce6620c352792e57f2e57fe9c34859892e3b6e  files.05.22.2020.doc
  30. - f75f90065ee66ba98a0edaf28fb97079d5c6804480a2670b955aafdba22aa6f8  legal agreement 05.22.2020.doc
  31. - 65a3424beb5601634c02560764c296a723a273dc841a1fb09a2db06d3d0f67cd  question 05.22.2020.doc
  32. - 3d500fba7d56c0cb4c9a1f4e9b40d8eb7c4049d8b6f470352f1ec2f6c8986a52  question,05.20.doc
  33. - 8cae2cb85479b7cd634f4add8dbcef1b33e400d16bcb6d90990249f6daf0f3ad  report-05.20.doc
  34.  
  35. SOME URLS FOR INTITAL VALAK DLL RETRIEVED BY WORD MACROS:
  36.  
  37. - hxxp://a8xui1akl9gjqucfa[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw1.cab
  38. - hxxp://a8xui1akl9gjqucfa[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw2.cab
  39. - hxxp://c88gpm21qoal18bmk[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw4.cab
  40. - hxxp://c88gpm21qoal18bmk[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw6.cab
  41. - hxxp://h6e2at7du07f7a2ip[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw7.cab
  42. - hxxp://h6e2at7du07f7a2ip[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw9.cab
  43. - hxxp://m8pwsczg0bbzw48j7[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw1.cab
  44. - hxxp://m8pwsczg0bbzw48j7[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw2.cab
  45. - hxxp://m8pwsczg0bbzw48j7[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw3.cab
  46. - hxxp://nrhlxbt9covscex9b[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw4.cab
  47. - hxxp://nrhlxbt9covscex9b[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw5.cab
  48. - hxxp://nrhlxbt9covscex9b[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw6.cab
  49. - hxxp://se66ndx04fofu3sqv[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw7.cab
  50. - hxxp://se66ndx04fofu3sqv[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw8.cab
  51. - hxxp://se66ndx04fofu3sqv[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw9.cab
  52.  
  53. LEGITIMATE DOMAINS USED FOR VALAK C2:
  54.  
  55. - redirector[.]gvt1[.]com
  56. - onecs-live[.]azureedge[.]net
  57. - ipm-provider[.]ff.avast[.]com
  58.  
  59. MALWARE DOMAINS USED FOR VALAK C2:
  60.  
  61. - cot3d[.]com
  62. - zhankai168[.]com
  63. - 360yunkang[.]com
  64. - bcp7mbg[.]com
  65. - ke3rrzx[.]com
  66.  
  67. EXAMPLE OF WORD DOC WITH MACROS FOR VALAK:
  68.  
  69. - SHA256 hash: e61d3c1e61777a1611499315d1a702a514766df9eb9c7b0c944654593d333513
  70.   -- https://bazaar.abuse.ch/sample/e61d3c1e61777a1611499315d1a702a514766df9eb9c7b0c944654593d333513
  71.   -- https://app.any.run/tasks/f9852e70-413c-49c1-a1ed-74ce90c38486
  72.   -- https://capesandbox.com/analysis/4639/
  73.   -- https://hybrid-analysis.com/sample/e61d3c1e61777a1611499315d1a702a514766df9eb9c7b0c944654593d333513
  74.  
  75. EXAMPLE OF INITIAL VALAK DLL RETRIEVED BY WORD MACROS:
  76.  
  77. - SHA256 hash: 4468edc18de42e61b64441c75aedcb15d553410d473e77fc8ae31b358acd506a
  78.   -- https://bazaar.abuse.ch/sample/4468edc18de42e61b64441c75aedcb15d553410d473e77fc8ae31b358acd506a
  79.   -- https://app.any.run/tasks/5cabfd09-131d-4458-ad25-879fa90bc4af
  80.   -- https://capesandbox.com/analysis/4638/
  81.   -- https://hybrid-analysis.com/sample/4468edc18de42e61b64441c75aedcb15d553410d473e77fc8ae31b358acd506a
  82.  
  83. FOLLOW-UP ICEDID (BOKBOT) MALWARE:
  84.  
  85. - SHA256 hash: df0b5d6ca7ba81e22d98e1f4dafe4d222ce496c31299e4189d8d773d9b70d6ec
  86.  -- https://bazaar.abuse.ch/sample/df0b5d6ca7ba81e22d98e1f4dafe4d222ce496c31299e4189d8d773d9b70d6ec
  87.  -- https://app.any.run/tasks/6b57fda7-dd83-44c9-a8d0-3befecb7c4c6
  88.  -- https://capesandbox.com/analysis/4636/
  89.  -- https://hybrid-analysis.com/sample/df0b5d6ca7ba81e22d98e1f4dafe4d222ce496c31299e4189d8d773d9b70d6ec
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top