2016-07-25 - BOLETO MALSPAM - SUBJECT: BOLETO DE COBRANCA - FIX - URGENTE

ASSOCIATED FILES:

  • 2016-07-25-boleto-malspam-traffic-from-malware.pcap   (1,311,600 bytes)
  • 2016-07-25-boleto-malspam.eml   (1,458 bytes)
  • VENC25072016axZ5MUdyYrNCCIIins5Chept7INWARCL.vbs   (1,104 bytes)

NOTES:

 

EMAIL


Shown above:  Screenshot of the email.

 


Shown above:  Some headers from the email.

 


Shown above:  .vbs file hosted on 4shared.com.

 


Shown above:  A pop-up windows that appears at some point after running the .vbs file.

 

TRAFFIC


Shown above:  Traffic from the second pcap filtered in Wireshark.

 

SOME OF THE DOMAINS:

 

ARTIFACTS ON THE INFECTED HOST

SOME ARTIFACTS SEEN ON THE INFECTED HOST:


Shown above:  The SYS[hostname].exe file persistent on the infected host.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.