API tools faq
paste
pandazheng

Astaroth IOCS 20201202

pandazheng
Dec 4th, 2020
822
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.57 KB | None | 0 0
raw download clone embed print report
  1. 2020-12-02-Astaroth-IOCs
  2. https://github.com/pan-unit42/tweets/blob/master/2020-12-02-Astaroth-IOCs.txt
  3.  
  4. 2020-12-02 (WEDNESDAY) - ASTAROTH (GUILDMA) MALWARE FROM PORTUGUESE LANGUAGE MALSPAM
  5.  
  6. NOTES:
  7.  
  8. - A password-protected zip archive of the email and associated malware is available at:
  9. -- https://github.com/pan-unit42/tweets/blob/master/2020-12-02-Astaroth-email-and-malware.zip
  10. - Password for the above zip archive is: infected
  11.  
  12. - Astaroth (also known as Guildma and other names) is a long-running malware family that originally targeted Brazil but is now targeting other areas.
  13.  
  14. - For a list of articles on Astaroth, see: https://malpedia.caad.fkie.fraunhofer.de/details/win.astaroth
  15.  
  16. - A tweet from 2020-11-24 related to this activity by @huntingneo is at: https://twitter.com/huntingneo/status/1331346995487903745
  17.  
  18. EMAIL HEADERS:
  19.  
  20. - Received: from geral01.pravalerx.net (geral01.pravalerx.net [91.211.245.89])
  21. - Subject:
  22. - From: Evelyn Castro <[email protected]>
  23. - Date: Wed, 02 Dec 2020 04:33:05 -0300
  24.  
  25. ORIGINAL MESSAGE:
  26.  
  27. Segue anexo o meu currículo completo para a sua avaliação.
  28. Desde já agradeço a oportunidade e me coloco à disposição para outras informações.
  29.  
  30. Caso não aceitem currículo por email , teria como me orientar onde devo deixar o currículo??
  31. Obrigado.
  32.  
  33. MESSAGE TRANSLATED TO ENGLISH:
  34.  
  35. Attached is my complete curriculum for your evaluation.
  36. I thank you for the opportunity and make myself available for further information.
  37.  
  38. If they do not accept a resume by email, would I be able to orient myself where I should leave the resume ??
  39. Thanks.
  40.  
  41. LINK IN THE EMAIL:
  42.  
  43. - hxxp://vfiawe.tronects[.]net/9QE05CAP5PL1L8P1B9864U6QKC90Q/5975TRMAAMV/Curriculo86352445
  44.  
  45. TRAFFIC FROM LINK IN THE EMAIL:
  46.  
  47. - 172.67.217[.]180 port 80 - vfiawe.tronects[.]net - GET /9QE05CAP5PL1L8P1B9864U6QKC90Q/5975TRMAAMV/Curriculo86352445
  48. - 81.169.145[.]66 port 80 - www.xi-hu[.]de - GET /tag.php?tag=%3Cscript%20src=%22https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js%22%3E%3C/script%3E%3Cscript%20type=%22text/javascript%22%20src=%22http://vfiawe.tronects[.]net/jquery.min.php%22%3E%3C/script%3E?%3Cscript%3EIf
  49. - 81.169.145[.]66 port 80 - www.xi-hu[.]de - GET /style.css
  50. - 81.169.145[.]66 port 80 - www.xi-hu[.]de - GET /jquery.accessible-news-slider.css
  51. - 81.169.145[.]66 port 80 - www.xi-hu[.]de - GET /fancybox/jquery.fancybox-1.2.6.css
  52. - 81.169.145[.]66 port 80 - www.xi-hu[.]de - GET /fancybox/jquery.fancybox-1.2.6.pack.js
  53. - 81.169.145[.]66 port 80 - www.xi-hu[.]de - GET /js/scrolltopcontrol.js
  54. - 172.67.217[.]180 port 80 - vfiawe.tronects[.]net - GET /jquery.min.php
  55. - 81.169.145[.]66 port 80 - www.xi-hu[.]de - GET /img/logo-400.png
  56. - 81.169.145[.]66 port 80 - www.xi-hu[.]de - GET /img/holz.jpg
  57. - 81.169.145[.]66 port 80 - www.xi-hu[.]de - GET /img/sprites-nav.png
  58. - 172.67.217[.]180 port 80 - vfiawe.tronects[.]net - GET /SCRLRRM/MBKKRBXNQ/Diretorio_Digital946z64y64
  59. - 172.67.217[.]180 port 80 - vfiawe.tronects[.]net - GET /favicon.ico
  60.  
  61. POST-INFECTION TRAFFIC
  62.  
  63. - 104.28.12[.]177 port 80 - t3oomr.piajq6b3uptu[.]be - GET /?1/
  64. - 104.31.79[.]202 port 443 - wra60.aojjse1r7bwl[.]re Client Hello
  65.  
  66. DOWNLOADED ZIP ARCHIVE AND EXTRACTED FILES (READ SHA256 HASH - FILE NAME):
  67.  
  68. - fce6f3c7d39bdb5ca245775b406844ca9f2b434bb404b69862dcbf8d34c0b991 - Diretorio_Digital946892.zip
  69. - 557f8a24b3e2d9bb6a0526d21610788fbe52f15542572f8f4cad0daddea63808 - Diretorio_Digital94655..z
  70. - f0ba0bd9560279cf07a022b10a3cc323d07dd9195ea4ab6ceab4ce409830dbed - Diretorio_Digital94655.lnk
  71.  
  72. LOCATION OF MALWARE/ARTIFACTS ON AN INFECTED WINDOWS HOST:
  73.  
  74. - C:\Users\Public\go
  75. - C:\Users\Public\kq
  76. - C:\Users\Public\WBW.js
  77. - C:\Users\Public\Downloads\VIF31072827218G/log32.dll
  78. - C:\Users\Public\Downloads\VIF31072827218G/log33.dll
  79. - C:\Users\Public\Downloads\VIF31072827218G/r1.log
  80. - C:\Users\Public\Downloads\VIF31072827218G/svchost.exe (copy of legitimate system file)
  81. - C:\Users\Public\Downloads\VIF31072827218G/win.dll
  82.  
  83. SHA256 HASHES FOR THE ARTIFACTS:
  84.  
  85. - 2e4f01a046edf5300a898c5f9f8dc35a3050a92f0c802da36391d09dc5f1f98b - kq
  86. - a5ad0a1d1eee90841de6e7d8d8a8edc5586cfd2ae2634b6fdc51efff09458ff4 - go
  87. - a2ba33e9abc6dbf93e0975fcc946a9836a76c768d25aa7842f411cd08eb678ea - WBW.js
  88.  
  89. - b1193a0b8606f4746b3c9b1f2e2420525fb58aa72fda0eb8a3d7ac54f4b76c74 - log32.dll
  90. - ce8e44f01e70a9616511394ede14c9bd5922d848ef761b0a413de324ae5ca66d - log33.dll
  91. - eacecfd138a122d8ba4038da8364e9d2ebcff76cad7c6db7d2cc7cc0fb08b7d4 - r1.log
  92. - 412a6b755b2029126d46e7469854add3faa850f5a4700dd1e078fcc536ca418a - svchost.exe
  93. - e6f2f01099d1d71e86cc2ff5650f556983d5524dc0fbe13634b4c8dda8b6fa77 - win.dll
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!