Created 2020-10-05-IOCs-from-AZORult-infection.txt

PaloAltoNetworks · Aug 29, 2023 · 1e4a5be · 1e4a5be
1 parent 8d3d776
commit 1e4a5be
Showing 1 changed file with 69 additions and 0 deletions.
diff --git a/2020-10-05-IOCs-from-AZORult-infection.txt b/2020-10-05-IOCs-from-AZORult-infection.txt
@@ -0,0 +1,69 @@
+2020-10-05 (MONDAY) - MALSPAM WITH XLS ATTACHMENT PUSHES AZORULT MALWARE
+
+REFERENCE:
+
+- https://twitter.com/Unit42_Intel/status/1313545578803011595
+
+EMAIL HEADERS:
+
+Return-Path: <[email protected]>
+Authentication-Results: [removed]; iprev=pass policy.iprev="203.78.160.41"; spf=neutral
+  smtp.mailfrom="[email protected]" smtp.helo="mx2.info.com.np"; dkim=none
+  (message not signed) header.d=none; dmarc=none (p=nil; dis=none) header.from=infoclub.com.np
+Received: from [203.78.160.41] ([203.78.160.41:42046] helo=mx2.info.com.np)
+	by [removed] (envelope-from <[email protected]>)
+	[removed] ; Mon, 05 Oct 2020 10:21:53 -0400
+Received: from localhost (localhost [127.0.0.1])
+	by mx2.info.com.np (Postfix) with ESMTP id 9D004C010EEDA;
+	Mon,  5 Oct 2020 20:05:27 +0545 (+0545)
+Received: from mx2.info.com.np ([127.0.0.1])
+	by localhost (mx2.info.com.np [127.0.0.1]) (amavisd-new, port 10032)
+	with ESMTP id NxFAiUUDPfZM; Mon,  5 Oct 2020 20:05:26 +0545 (+0545)
+Received: from localhost (localhost [127.0.0.1])
+	by mx2.info.com.np (Postfix) with ESMTP id B3A6BC01205B7;
+	Mon,  5 Oct 2020 20:05:25 +0545 (+0545)
+Received: from mx2.info.com.np ([127.0.0.1])
+	by localhost (mx2.info.com.np [127.0.0.1]) (amavisd-new, port 10026)
+	with ESMTP id 2Hz7ajN5BfmV; Mon,  5 Oct 2020 20:05:25 +0545 (+0545)
+Received: from mx2.info.com.np (mx2.info.com.np [203.78.160.41])
+	by mx2.info.com.np (Postfix) with ESMTP id B1E23C010EED6;
+	Mon,  5 Oct 2020 20:05:23 +0545 (+0545)
+Date: Mon, 5 Oct 2020 20:05:23 +0545 (NPT)
+From: [email protected]
+Message-ID: <[email protected]>
+In-Reply-To: <[email protected]>
+Subject: Order confirmation
+MIME-Version: 1.0
+Content-Type: multipart/mixed; 
+	boundary="----=_Part_5684_151580814.1601907623466"
+X-Mailer: Zimbra 8.6.0_GA_1153 (ZimbraWebClient - FF81 (Win)/8.6.0_GA_1153)
+Thread-Topic: Order confirmation
+Thread-Index: 2VBCTeFcpKsqezW/qovDHEXVLMew2cAVOyZvAX/6jocf2g0v5XT0r/qLX4VEbQbMwFb9VbHuNr30
+
+Attachment name: 0617773.xls
+
+ASSOCIATED MALWARE:
+
+- SHA256 hash: 024512629393c80c1434eb25694c9f1e65d813cd3c273c6d97572ec62d8ad655
+- File size: 462848 bytes
+- File name: 0617773.xls
+- File description: Excel spreadsheet with macro for AZORult malware
+
+- SHA256 hash: b2fe9bcc932ea65ec98318fd983e862172123cab111e728d97c23258749521c7
+- File size: 308,736 bytes
+- File location: hxxp://192.236.178[.]80/7z/0617773.jpg
+- File location: C:\Users\Public\whpfwkrul.exe  (initial location)
+- File location: C:\Users\[username]\chrmo.exe  (persistent location)
+- File description: Windows EXE for AZORult
+
+MALWARE PERSISTENCE (REGISTRY UPDATE):
+
+- Registry key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+- Value name: nspj
+- Value type: REG_SZ
+- Value data: C:\WINDOWS\system32\pcalua.exe -a C:\Users\[username]\chrmo.exe
+
+INFECTION TRAFFIC:
+
+- 192.236.178[.]80 port 80 - 192.236.178[.]80 - GET/7z/0617773.jpg
+- 198.50.160[.]198 port 80 - books.myscriptcase[.]com - POST /index.php