malware_traffic

2020-05-22 - malspam with zip files pushes Valak with IcedID

May 22nd, 2020
2,245
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. FRIDAY 2020-05-22 - MALSPAM WITH PASSWORD PROTECTED ZIP ATTACHMENTS PUSHES VALAK WITH ICEDID
  2.  
  3. SHA256 HASHES OF THREE EMAILS FROM 2020-05-22 SUBMITTED TO VIRUSTOTAL:
  4.  
  5. - 256f19fdd6c32727ee0f7a515e0a75a85ad8ceeb8a508dbab3b92e55e908ab2c
  6. - 653426a56593eae5f209da871ec756f9ecb4d2252305b4c37d0419ff358c1694
  7. - a9c0a6f4647f367dbb841e8b15d72967ef3926ba5339849cb883a888d6561d16
  8.  
  9. ZIP ARCHIVES HAVE PASSWORDS OF 5 ALPHA-NUMERIC CHARACTERS, EXAMPLES:
  10.  
  11. - 7d072a55d43ee84b07a9f70abc157e8c0701feb95d07ade102903ffeff2628ed Adam_signs.zip password: 876HK
  12. - c24fdcfa1c646c6ed92e5ae05a3bec484aab7b5c955200da14f9a2845a71c7f4 AngelDough.zip password: 847RT
  13. - 161c1dca59c023c355b3597a27ac786a3ecc9028da3a2216f57166477b4ebc47 Art_Skills.zip password: 847RT
  14. - 2f146c1f4b495544c857d8e39b81daee7a637f6455bb9d0b50830e3a33a3400f Sunrise.zip password: 990ES
  15.  
  16. SOME FILE HASHES FOR WORD DOCS EXTRACTED FROM THE PASSWORD-PROTECTED ZIP ARCHIVES:
  17.  
  18. - 41d49550c06245f705fa556c593ff807aa09eed7537ef415a9d33c8810319cb6 adjure,05.20.doc
  19. - 33ab195dfd8e509ffb4202d4ecb2da421fb920d403ff44e47a72b96117324d8e certificate 05.20.doc
  20. - 5741a7071b0f60d3626563760d2ea107063e924da9a3d1c485934ff56e36b8ab certificate0520.doc
  21. - 302c5feafed580517646fbd263c456f314b805a29c750e91801af959247c7f71 command 05.22.2020.doc
  22. - fcc223993f7314a76f6308e11071a8b823f95223d69c9427f5be1b70d7cad018 commerce _05.22.2020.doc
  23. - c0c7b9023461b997325db5b38211207628519a27b2a6997c62a70958a3390042 dictate_05.20.doc
  24. - 0c0261e99cbb77022029ee776c8b5a832a1b96b4b3df820fbf8ac3228738e998 docs.05.22.2020.doc
  25. - 02713f219cf4a902a482c25d557f90a6be8669d75f81133a32ba55d826d14164 document-05.20.doc
  26. - e61d3c1e61777a1611499315d1a702a514766df9eb9c7b0c944654593d333513 document_05.22.2020.doc
  27. - 6882e9e63cee8f0c509965ba19e87a5527014ea9348b33101809916d8da6acb8 facts,05.20.doc
  28. - cd9385a684b236a08b4058e2e5fc71ee39c47f5fafee1cd0dc3ea017c9cc2aa7 figures-05.20.doc
  29. - 41e7f7f838ff0bcb6067be8810ce6620c352792e57f2e57fe9c34859892e3b6e files.05.22.2020.doc
  30. - f75f90065ee66ba98a0edaf28fb97079d5c6804480a2670b955aafdba22aa6f8 legal agreement 05.22.2020.doc
  31. - 65a3424beb5601634c02560764c296a723a273dc841a1fb09a2db06d3d0f67cd question 05.22.2020.doc
  32. - 3d500fba7d56c0cb4c9a1f4e9b40d8eb7c4049d8b6f470352f1ec2f6c8986a52 question,05.20.doc
  33. - 8cae2cb85479b7cd634f4add8dbcef1b33e400d16bcb6d90990249f6daf0f3ad report-05.20.doc
  34.  
  35. SOME URLS FOR INTITAL VALAK DLL RETRIEVED BY WORD MACROS:
  36.  
  37. - hxxp://a8xui1akl9gjqucfa[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw1.cab
  38. - hxxp://a8xui1akl9gjqucfa[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw2.cab
  39. - hxxp://c88gpm21qoal18bmk[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw4.cab
  40. - hxxp://c88gpm21qoal18bmk[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw6.cab
  41. - hxxp://h6e2at7du07f7a2ip[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw7.cab
  42. - hxxp://h6e2at7du07f7a2ip[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw9.cab
  43. - hxxp://m8pwsczg0bbzw48j7[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw1.cab
  44. - hxxp://m8pwsczg0bbzw48j7[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw2.cab
  45. - hxxp://m8pwsczg0bbzw48j7[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw3.cab
  46. - hxxp://nrhlxbt9covscex9b[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw4.cab
  47. - hxxp://nrhlxbt9covscex9b[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw5.cab
  48. - hxxp://nrhlxbt9covscex9b[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw6.cab
  49. - hxxp://se66ndx04fofu3sqv[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw7.cab
  50. - hxxp://se66ndx04fofu3sqv[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw8.cab
  51. - hxxp://se66ndx04fofu3sqv[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw9.cab
  52.  
  53. LEGITIMATE DOMAINS USED FOR VALAK C2:
  54.  
  55. - redirector[.]gvt1[.]com
  56. - onecs-live[.]azureedge[.]net
  57. - ipm-provider[.]ff.avast[.]com
  58.  
  59. MALWARE DOMAINS USED FOR VALAK C2:
  60.  
  61. - cot3d[.]com
  62. - zhankai168[.]com
  63. - 360yunkang[.]com
  64. - bcp7mbg[.]com
  65. - ke3rrzx[.]com
  66.  
  67. EXAMPLE OF WORD DOC WITH MACROS FOR VALAK:
  68.  
  69. - SHA256 hash: e61d3c1e61777a1611499315d1a702a514766df9eb9c7b0c944654593d333513
  70. -- https://bazaar.abuse.ch/sample/e61d3c1e61777a1611499315d1a702a514766df9eb9c7b0c944654593d333513
  71. -- https://app.any.run/tasks/f9852e70-413c-49c1-a1ed-74ce90c38486
  72. -- https://capesandbox.com/analysis/4639/
  73. -- https://hybrid-analysis.com/sample/e61d3c1e61777a1611499315d1a702a514766df9eb9c7b0c944654593d333513
  74.  
  75. EXAMPLE OF INITIAL VALAK DLL RETRIEVED BY WORD MACROS:
  76.  
  77. - SHA256 hash: 4468edc18de42e61b64441c75aedcb15d553410d473e77fc8ae31b358acd506a
  78. -- https://bazaar.abuse.ch/sample/4468edc18de42e61b64441c75aedcb15d553410d473e77fc8ae31b358acd506a
  79. -- https://app.any.run/tasks/5cabfd09-131d-4458-ad25-879fa90bc4af
  80. -- https://capesandbox.com/analysis/4638/
  81. -- https://hybrid-analysis.com/sample/4468edc18de42e61b64441c75aedcb15d553410d473e77fc8ae31b358acd506a
  82.  
  83. FOLLOW-UP ICEDID (BOKBOT) MALWARE:
  84.  
  85. - SHA256 hash: df0b5d6ca7ba81e22d98e1f4dafe4d222ce496c31299e4189d8d773d9b70d6ec
  86. -- https://bazaar.abuse.ch/sample/df0b5d6ca7ba81e22d98e1f4dafe4d222ce496c31299e4189d8d773d9b70d6ec
  87. -- https://app.any.run/tasks/6b57fda7-dd83-44c9-a8d0-3befecb7c4c6
  88. -- https://capesandbox.com/analysis/4636/
  89. -- https://hybrid-analysis.com/sample/df0b5d6ca7ba81e22d98e1f4dafe4d222ce496c31299e4189d8d773d9b70d6ec
RAW Paste Data