2016-08-18 - BOLETO MALSPAM

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• ZIP archive of the pcap:  2016-08-18-boleto-malspam-infection-traffic.pcap.zip   1.4 MB (1,393,752 bytes)

• 2016-08-18-boleto-malspam-infection-traffic.pcap   (1,913,618 bytes)

• ZIP archive of the CSV spreadsheets:  2016-08-18-boleto-malspam-spreadsheets.zip   2.7 kB (2,705 bytes)

• 2016-08-18-boleto-malspam-artifacts-information.csv   (1,764 bytes)
• 2016-08-18-boleto-malspam-emails.csv   (3,454 bytes)

• ZIP archive of the emails:  2016-08-18-boleto-malspam-emails.zip   23.6 kB (23,602 bytes)

• 2016-08-18-0056-UTC-boleto-malspam.eml   (1,847 bytes)
• 2016-08-18-0108-UTC-boleto-malspam.eml   (1,798 bytes)
• 2016-08-18-0114-UTC-boleto-malspam.eml   (1,826 bytes)
• 2016-08-18-0209-UTC-boleto-malspam.eml   (1,841 bytes)
• 2016-08-18-0245-UTC-boleto-malspam.eml   (1,834 bytes)
• 2016-08-18-0326-UTC-boleto-malspam.eml   (1,830 bytes)
• 2016-08-18-0416-UTC-boleto-malspam.eml   (1,830 bytes)
• 2016-08-18-0422-UTC-boleto-malspam.eml   (1,843 bytes)
• 2016-08-18-0508-UTC-boleto-malspam.eml   (1,807 bytes)
• 2016-08-18-0510-UTC-boleto-malspam.eml   (1,838 bytes)
• 2016-08-18-0759-UTC-boleto-malspam.eml   (1,807 bytes)
• 2016-08-18-0805-UTC-boleto-malspam.eml   (1,796 bytes)
• 2016-08-18-0853-UTC-boleto-malspam.eml   (1,806 bytes)
• 2016-08-18-1005-UTC-boleto-malspam.eml   (1,834 bytes)
• 2016-08-18-1625-UTC-boleto-malspam.eml   (1,807 bytes)
• 2016-08-18-1705-UTC-boleto-malspam.eml   (1,842 bytes)
• 2016-08-18-1828-UTC-boleto-malspam.eml   (1,854 bytes)

• ZIP archive of artifacts from the infected host:  2016-08-18-boleto-malspam-artifacts-from-infected-host.zip   1.4 MB (1,397,614 bytes)

• 17082016Ra7vwUMc2fXGHNJHgJHKymv120Y2yjk2s.vbs   (1,088 bytes)
• Ionic.Zip.Reduced.dll   (253,440 bytes)
• RABBIT-PC.aes   (16 bytes)
• RABBIT-PC.zip   (1,079,291 bytes)
• aaaaaaaaaaaa.xml   (3,370 bytes)
• dll.dll.exe   (396,480 bytes)
• kxqkvvlq.0ud.vbs   (7,775 bytes)
• tmp315F.tmp   (0 bytes)
• tmp315F.tmpps1   (3,440 bytes)
• tmp756E.tmp   (11,548 bytes)
• tmpAF34.tmp   (11,548 bytes)
• vt2itszs.jm3.vbs   (338 bytes)

 

EMAILS

Shown above:  Data from the spreadsheet (1 of 2).

 

Shown above:  Data from the spreadsheet (2 of 2).

 

Shown above:  Example of the emails.

 

EMAIL DETAILS

EXAMPLES OF SENDING EMAIL ADDRESSES:

• cobranca@contratocobrancas[.]top
• cobranca@entregaregistrada[.]top
• financeiro@louislittadvocacia[.]top
• financeiro@maxcobrancas[.]xyz
• financeiro@paybackcobrancas[.]top
• financeiro@pearsonhardman[.]xyz

 

EXAMPLES OF SUBJECT LINES:

• Boleto Bancario via eletronica - LLITT - URGENTE
• Boleto Bancario via eletronica - MAXCOB - URGENTE
• Boleto Bancario via eletronica - PAYBACK - URGENTE
• Boleto Bancario via eletronica - PH ADVOGADOS - URGENTE
• Boleto de Cobranca - ENTREGA - URGENTE
• Boleto de Cobranca - FIX - URGENTE

 

DOMAINS FROM LINKS IN THE EMAILS:

• contratocobrancas[.]top
• entregaanexo[.]top
• entregaexpress[.]top
• entregaregistrada[.]top
• envio[.]top
• envioregistrado[.]biz
• enviosistema[.]top
• jessicapearson[.]top
• pearsonhardman[.]top
• pearsonhardmanlitt[.]top
• sendbolfast[.]top

 

TRAFFIC

Shown above:  Traffic from the pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• cdnfiles.4shared[.]com - VBS file from download link in the malspam
• 65.181.125[.]193 port 80 - 65.181.125[.]193 - GET /a35new/w7.txt
• 65.181.125[.]193 port 80 - 65.181.125[.]193 - GET /a35new/aw7.tiff
• 65.181.125[.]193 port 80 - 65.181.125[.]193 - GET /a35new/w7.zip
• 65.181.113[.]187 port 80 - www.devyatinskiy[.]ru - HTTP callback traffic
• 65.181.125[.]193 port 80 - 65.181.125[.]193 - GET /a35new/dll.dll
• 65.181.125[.]193 port 80 - 65.181.125[.]193 - GET /a35new/dll.dll.exe
• 65.181.113[.]204 port 443 - ssl.houselannister[.]top - IRC traffic (botnet command and control)
• 198.105.244[.]228 port 443 - xxxxxxxxxxx.localdomain - Attempted TCP connections RST by server

• imestre.danagas[.]ru - Response 192.64.147[.]142 - no follow-up UDP or TCP connection
• imestre.noortakaful[.]top - No response
• imestre.waridtelecom[.]top - No response
• imestre.aduka[.]top - No response
• imestre.saltflowinc[.]top - No response
• imestre.moveoneinc[.]top - No response
• imestre.cheddarmcmelt[.]top - No response
• imestre.suzukiburgman[.]top - No response
• imestre.houselannister[.]top - response: 127.0.0.1
• xxxxxxxxxxx.localdomain - No response

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2016-08-18-boleto-malspam-infection-traffic.pcap.zip   1.4 MB (1,393,752 bytes)
• ZIP archive of the CSV spreadsheets:  2016-08-18-boleto-malspam-spreadsheets.zip   2.7 kB (2,705 bytes)
• ZIP archive of the emails:  2016-08-18-boleto-malspam-emails.zip   23.6 kB (23,602 bytes)
• ZIP archive of artifacts from the infected host:  2016-08-18-boleto-malspam-artifacts-from-infected-host.zip   1.4 MB (1,397,614 bytes)

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

Click here to return to the main page.