Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- FRIDAY 2020-05-22 - MALSPAM WITH PASSWORD PROTECTED ZIP ATTACHMENTS PUSHES VALAK WITH ICEDID
- SHA256 HASHES OF THREE EMAILS FROM 2020-05-22 SUBMITTED TO VIRUSTOTAL:
- - 256f19fdd6c32727ee0f7a515e0a75a85ad8ceeb8a508dbab3b92e55e908ab2c
- - 653426a56593eae5f209da871ec756f9ecb4d2252305b4c37d0419ff358c1694
- - a9c0a6f4647f367dbb841e8b15d72967ef3926ba5339849cb883a888d6561d16
- ZIP ARCHIVES HAVE PASSWORDS OF 5 ALPHA-NUMERIC CHARACTERS, EXAMPLES:
- - 7d072a55d43ee84b07a9f70abc157e8c0701feb95d07ade102903ffeff2628ed Adam_signs.zip password: 876HK
- - c24fdcfa1c646c6ed92e5ae05a3bec484aab7b5c955200da14f9a2845a71c7f4 AngelDough.zip password: 847RT
- - 161c1dca59c023c355b3597a27ac786a3ecc9028da3a2216f57166477b4ebc47 Art_Skills.zip password: 847RT
- - 2f146c1f4b495544c857d8e39b81daee7a637f6455bb9d0b50830e3a33a3400f Sunrise.zip password: 990ES
- SOME FILE HASHES FOR WORD DOCS EXTRACTED FROM THE PASSWORD-PROTECTED ZIP ARCHIVES:
- - 41d49550c06245f705fa556c593ff807aa09eed7537ef415a9d33c8810319cb6 adjure,05.20.doc
- - 33ab195dfd8e509ffb4202d4ecb2da421fb920d403ff44e47a72b96117324d8e certificate 05.20.doc
- - 5741a7071b0f60d3626563760d2ea107063e924da9a3d1c485934ff56e36b8ab certificate0520.doc
- - 302c5feafed580517646fbd263c456f314b805a29c750e91801af959247c7f71 command 05.22.2020.doc
- - fcc223993f7314a76f6308e11071a8b823f95223d69c9427f5be1b70d7cad018 commerce _05.22.2020.doc
- - c0c7b9023461b997325db5b38211207628519a27b2a6997c62a70958a3390042 dictate_05.20.doc
- - 0c0261e99cbb77022029ee776c8b5a832a1b96b4b3df820fbf8ac3228738e998 docs.05.22.2020.doc
- - 02713f219cf4a902a482c25d557f90a6be8669d75f81133a32ba55d826d14164 document-05.20.doc
- - e61d3c1e61777a1611499315d1a702a514766df9eb9c7b0c944654593d333513 document_05.22.2020.doc
- - 6882e9e63cee8f0c509965ba19e87a5527014ea9348b33101809916d8da6acb8 facts,05.20.doc
- - cd9385a684b236a08b4058e2e5fc71ee39c47f5fafee1cd0dc3ea017c9cc2aa7 figures-05.20.doc
- - 41e7f7f838ff0bcb6067be8810ce6620c352792e57f2e57fe9c34859892e3b6e files.05.22.2020.doc
- - f75f90065ee66ba98a0edaf28fb97079d5c6804480a2670b955aafdba22aa6f8 legal agreement 05.22.2020.doc
- - 65a3424beb5601634c02560764c296a723a273dc841a1fb09a2db06d3d0f67cd question 05.22.2020.doc
- - 3d500fba7d56c0cb4c9a1f4e9b40d8eb7c4049d8b6f470352f1ec2f6c8986a52 question,05.20.doc
- - 8cae2cb85479b7cd634f4add8dbcef1b33e400d16bcb6d90990249f6daf0f3ad report-05.20.doc
- SOME URLS FOR INTITAL VALAK DLL RETRIEVED BY WORD MACROS:
- - hxxp://a8xui1akl9gjqucfa[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw1.cab
- - hxxp://a8xui1akl9gjqucfa[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw2.cab
- - hxxp://c88gpm21qoal18bmk[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw4.cab
- - hxxp://c88gpm21qoal18bmk[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw6.cab
- - hxxp://h6e2at7du07f7a2ip[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw7.cab
- - hxxp://h6e2at7du07f7a2ip[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw9.cab
- - hxxp://m8pwsczg0bbzw48j7[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw1.cab
- - hxxp://m8pwsczg0bbzw48j7[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw2.cab
- - hxxp://m8pwsczg0bbzw48j7[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw3.cab
- - hxxp://nrhlxbt9covscex9b[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw4.cab
- - hxxp://nrhlxbt9covscex9b[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw5.cab
- - hxxp://nrhlxbt9covscex9b[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw6.cab
- - hxxp://se66ndx04fofu3sqv[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw7.cab
- - hxxp://se66ndx04fofu3sqv[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw8.cab
- - hxxp://se66ndx04fofu3sqv[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw9.cab
- LEGITIMATE DOMAINS USED FOR VALAK C2:
- - redirector[.]gvt1[.]com
- - onecs-live[.]azureedge[.]net
- - ipm-provider[.]ff.avast[.]com
- MALWARE DOMAINS USED FOR VALAK C2:
- - cot3d[.]com
- - zhankai168[.]com
- - 360yunkang[.]com
- - bcp7mbg[.]com
- - ke3rrzx[.]com
- EXAMPLE OF WORD DOC WITH MACROS FOR VALAK:
- - SHA256 hash: e61d3c1e61777a1611499315d1a702a514766df9eb9c7b0c944654593d333513
- -- https://bazaar.abuse.ch/sample/e61d3c1e61777a1611499315d1a702a514766df9eb9c7b0c944654593d333513
- -- https://app.any.run/tasks/f9852e70-413c-49c1-a1ed-74ce90c38486
- -- https://capesandbox.com/analysis/4639/
- -- https://hybrid-analysis.com/sample/e61d3c1e61777a1611499315d1a702a514766df9eb9c7b0c944654593d333513
- EXAMPLE OF INITIAL VALAK DLL RETRIEVED BY WORD MACROS:
- - SHA256 hash: 4468edc18de42e61b64441c75aedcb15d553410d473e77fc8ae31b358acd506a
- -- https://bazaar.abuse.ch/sample/4468edc18de42e61b64441c75aedcb15d553410d473e77fc8ae31b358acd506a
- -- https://app.any.run/tasks/5cabfd09-131d-4458-ad25-879fa90bc4af
- -- https://capesandbox.com/analysis/4638/
- -- https://hybrid-analysis.com/sample/4468edc18de42e61b64441c75aedcb15d553410d473e77fc8ae31b358acd506a
- FOLLOW-UP ICEDID (BOKBOT) MALWARE:
- - SHA256 hash: df0b5d6ca7ba81e22d98e1f4dafe4d222ce496c31299e4189d8d773d9b70d6ec
- -- https://bazaar.abuse.ch/sample/df0b5d6ca7ba81e22d98e1f4dafe4d222ce496c31299e4189d8d773d9b70d6ec
- -- https://app.any.run/tasks/6b57fda7-dd83-44c9-a8d0-3befecb7c4c6
- -- https://capesandbox.com/analysis/4636/
- -- https://hybrid-analysis.com/sample/df0b5d6ca7ba81e22d98e1f4dafe4d222ce496c31299e4189d8d773d9b70d6ec
Add Comment
Please, Sign In to add comment