forked from PaloAltoNetworks/Unit42-timely-threat-intel
-
Notifications
You must be signed in to change notification settings - Fork 0
/
2022-02-17-IOCs-for-Bazil-targeted-malware-infection.txt
61 lines (46 loc) · 2.86 KB
/
2022-02-17-IOCs-for-Bazil-targeted-malware-infection.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
2022-02-17 (THURSDAY) - WINDOWS INFECTION ACTIVITY FROM BRAZIL-TARGETED MALSPAM
REFERENCE:
- https://twitter.com/Unit42_Intel/status/1496172957726560257
EMAIL HEADERS:
Received: from thiag77940[.]vds (mail01.nota-comercio.com [195.28.183[.]90])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
(No client certificate requested)
by [recipient's mail server] (Postfix) with ESMTPS id 4JzGT109qhz3wZQ
for <[recipient's email address]>; Wed, 16 Feb 2022 11:49:03 +0000 (UTC)
Received: by thiag77940[.]vds (Postfix, from userid 0)
id 9A0DC7EA80; Wed, 16 Feb 2022 11:48:38 +0000 (UTC)
Subject: Arquivo NF-e - Pedido N (46512154)
From: nfe@nfpaulista.com
Message-Id: <20220216114838.9A0DC7EA80@thiag77940[.]vds>
Date: Wed, 16 Feb 2022 11:48:38 +0000 (UTC)
LINK FROM THE EMAIL:
- hxxp://nfe5.doomdns[.]org/
TRAFFIC FROM AN INFECTED WINDOWS HOST:
- 20.77.245[.]61 port 80 - nfe5.doomdns[.]org - GET /
- 20.77.245[.]61 port 80 - download2.go.dyndns[.]org - GET /5E%2028%205B%205E_5E128%205B%205E_5E%2028%205B%205E_5E128%205B%205E_5E%2028%205B%205E_5E128%205B%205E_/
- 20.77.245[.]61 port 80 - nfe6.dyndns[.]ws - GET /Nota.zip
- 52.161.99[.]171 port 80 - plugtree.duckdns[.]org - GET /libwinpthread-1.css
- 20.77.245[.]61 port 80 - clientes.is-saved[.]org - POST /clientes/postUP.php
ASSOCIATED MALWARE:
- SHA256 hash: eb5a367f80ee1dd72a5b7ae184dddf6d4b72f2799f0ff8f221b8a79728734264
- File size: 2,699,362 bytes
- File location: hxxp://nfe6.dyndns[.]ws/Nota.zip
- File description: Zip archive downloaded after clicking link in email
- SHA256 hash: 5b84585b8335d7f30f3891ab75d55c9caf67c40499a2297f01ade237d29f012c
- File size: 2,862,080 bytes
- File name: GHDJ-87678A-1A.msi
- File description: MSI file extracted from above zip archive
- SHA256 hash: d76dda172fd4cb6abf1edd258c34bc05eb457a13ecb1e4beeea1fbf7e74ddcf3
- File size: 18,900,737 bytes
- File location: hxxp://plugtree.duckdns[.]org/libwinpthread-1.css
- File description: Zip archive retrieved by above MSI file
- Note: This zip archive contains files used to run the Pidgin chat client for Windows, along with a malicious DLL run by pidgin.exe
- SHA256 hash: 32e13b3fcf43c37184b5b5eaca2a32ba24342260dea8514b19187f20cc417514
- File size: 809,772,783 bytes
- File name: libpurple.dll
- File description: malicious 32-bit DLL run by pidgin.exe
Note: The above DLL is padded with null bytes at the end of the file. At nearly 810 MB, this malware is too large to submit to Virus Total or other online analysis tools. A carved version with most of the null bytes removed is listed below.
- SHA256 hash: e1ddfe00dd1ada634b965c9e444cbd52fa02770d7dd1c3c31949b5e52fff4049
- File size: 12,134,400 bytes
- File description: The above libpurple.dll file with most of the null bytes at the end of the file removed