2019-02-22 - MALSPAM WITH WORD DOCS PUSHING VIDAR

Update: My infected Windows host showed signs of infection with Gandcrab 5.2, but this is a Vidar infection.  I never found a binary for Gandcrab ransomware on my infected Windows host.  See the notes section below.

ASSOCIATED FILES:

  • 2019-02-22-infection-traffic-from-malspam-pushing-Vidar.pcap   (4,204,649 bytes)
  • malicious-word-docs/Info_Heather_Tamse.doc   (70,656 bytes)
  • malicious-word-docs/Info_Oleksiy_Shapovalov.doc   (70,656 bytes)
  • malicious-word-docs/Info_Sharon_Gough.doc   (70,144 bytes)
  • malicious-word-docs/Info_Tran_Nguyen.doc   (70,656 bytes)
  • malicious-word-docs/Info_Troy_Yochelson.doc   (69,632 bytes)
  • malicious-word-docs/Inquiry_Brian_Roberts.doc   (69,120 bytes)
  • malicious-word-docs/Report_Gould,_Carolyn.doc   (70,656 bytes)
  • malicious-word-docs/Report_Michael_Kaba.doc   (70,144 bytes)
  • malicious-word-docs/Request_Beatriz_Márquez.doc   (70,144 bytes)
  • malicious-word-docs/Request_Stinson,_Lisa.doc   (69,632 bytes)
  • malware-and-artifacts/2019-02-22-c2.bin.txt   (409 bytes)
  • malware-and-artifacts/2019-02-22-Gandcrab-ransomware-decyrption-instructions.txt   (2,954 bytes)
  • malware-and-artifacts/2019-02-22-script-from-Pastebin.txt   (233,220 bytes)
  • malware-and-artifacts/2019-02-22-v2.bin.exe   (1,159,168 bytes)
  • not-inherently-malicious/2019-02-22-freebl3.dll   (334,288 bytes)
  • not-inherently-malicious/2019-02-22-mozglue.dll   (137,168 bytes)
  • not-inherently-malicious/2019-02-22-msvcp140.dll   (440,120 bytes)
  • not-inherently-malicious/2019-02-22-nss3.dll   (1,246,160 bytes)
  • not-inherently-malicious/2019-02-22-softokn3.dll   (144,848 bytes)
  • not-inherently-malicious/2019-02-22-vcruntime140.dll   (83,784 bytes)

NOTES:

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs and domains:

 

WORD DOCUMENT EXAMPLE


Shown above:  Example of the Word docs from the malspam.

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 

INFECTION TRAFFIC:

 

MALWARE

INITIAL WORD DOCS (SHA256 HASH - SIZE - FILE NAME):

MALWARE BINARY:

 

NON-MALICIOUS DLL FILES RETRIEVED FROM YOURSEO.AC[.]UG DURING THE INFECTION:

 

IMAGES


Shown above:  Desktop of an infected Windows host shows a Gandcrab ransomware infection, but I didn't find a Gandrab binary on the infected host.

 


Shown above:  Gandcrab ransomware decryption instructions.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.