2015-09-23 - BARTALEX MALSPAM SENDS PONY AND VAWTRAK

PCAP AND MALWARE:

 

NOTES:

 

EXAMPLE OF THE MALSPAM

SCREEN SHOT OF THE MALSPAM:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

INFECTION TRAFFIC:

 

SNORT EVENTS

Some of the signature hits from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion:

 

PRELIMINARY MALWARE ANALYSIS

WORD DOCUMENT (ATTACHMENT FROM THE MALSPAM):

File name:  price_list.doc
File size:  58.0 KB ( 59392 bytes )
MD5 hash:  facec082a3cffddc43e668a3080487f5
SHA1 hash:  7888f662d9b16b480f5e65bdbdbf4e94e1afbe4a
SHA256 hash:  120d5320a59a86f9b3e0774609a3f0773d76a7d66689525a023bee7f8666f2eb
Detection ratio:  7 / 56
First submission:  2015-09-23 14:10:15 UTC
VirusTotal link:  https://www.virustotal.com/en/file/120d5320a59a86f9b3e0774609a3f0773d76a7d66689525a023bee7f8666f2eb/analysis/
Malwr link:  https://malwr.com/analysis/YmQ0MGFkZGI3NzkyNDkyYWIxM2EyZjFlNTM5NDMyNjk/
Hybrid-Analysis link:  https://www.hybrid-analysis.com/sample/120d5320a59a86f9b3e0774609a3f0773d76a7d66689525a023bee7f8666f2eb?environmentId=1

 

PONY (DOWNLOADED BY THE WORD DOCUMENT):

File name:  s1.exe
File size:  245.5 KB ( 251392 bytes )
MD5 hash:  6740944268a22221d0068dc44980dfcb
SHA1 hash:  3f2f3d1956c78a86062b367d298a154e4d755487
SHA256 hash:  c1afb96d2a3b436444313fde02d103ff86f9b68d7e2ca3151b64cb7caa3696cd
Detection ratio:  0 / 56
First submission:  2015-09-23 14:15:51 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c1afb96d2a3b436444313fde02d103ff86f9b68d7e2ca3151b64cb7caa3696cd/analysis/
Malwr link:  https://malwr.com/analysis/Njg1NzJjYzM4Y2E5NGY1ODg3YzM0OWUxZGI4ODU2ZWI/
Hybrid-Analysis link:  https://www.hybrid-analysis.com/sample/c1afb96d2a3b436444313fde02d103ff86f9b68d7e2ca3151b64cb7caa3696cd?environmentId=4

 

VAWTRAK (DOWNLOADED BY THE PONY MALWARE):

File name:  k1.exe
File size:  329.0 KB ( 336896 bytes )
MD5 hash:  9f2273b3ff941ecebe9b04b7ce0a88a6
SHA1 hash:  ddc86574dda8f072aeceaf48f01507f7095ded50
SHA256 hash:  4d47396e1e9c7538c59da8b5574fb8f208154cdfc6590e33b74b7e9feada7584
Detection ratio:  2 / 56
First submission:  2015-09-23 14:18:22 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4d47396e1e9c7538c59da8b5574fb8f208154cdfc6590e33b74b7e9feada7584/analysis/
Malwr link:  https://malwr.com/analysis/Yzc2MmZmZDc3NzgwNDU3ZjgzYmY5NTUyMzc1YjA0ZTU/
Hybrid-Analysis link:  https://www.hybrid-analysis.com/sample/4d47396e1e9c7538c59da8b5574fb8f208154cdfc6590e33b74b7e9feada7584?environmentId=2

 

FINAL NOTES

Once again, here's the PCAP of the traffic and ZIP file of the malware:

The ZIP file is password-protected with the standard password.  If you don't know it, email me at admin@malware-traffic-analysis.net and ask.

Click here to return to the main page.