Malware-Traffic-Analysis.net - 2016-08-25

2016-08-25 - BOLETO CAMPAIGN

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2016-08-25-Boleto-campaign-infection-traffic.pcap.zip 1.3 MB (1,298,503 bytes)

2016-08-25-Boleto-campaign-infection-traffic.pcap (1,883,162 bytes)

2016-08-25-Boleto-campaign-spreadsheets.zip 2.5 kB (2,456 bytes)

2016-08-25-Boleto-campaign-malware-and-artifacts-info.csv (1,862 bytes)

2016-08-25-Boleto-campaign-malspam.csv (1,862 bytes)

2016-08-25-Boleto-campaign-malspam.zip 13.9 kB (13,890 bytes)

2016-08-25-Boleto-malspam-0438-UTC.eml (1,850 bytes)

2016-08-25-Boleto-malspam-0506-UTC.eml (1,803 bytes)

2016-08-25-Boleto-malspam-0513-UTC.eml (1,807 bytes)

2016-08-25-Boleto-malspam-0529-UTC.eml (1,830 bytes)

2016-08-25-Boleto-malspam-0600-UTC.eml (1,812 bytes)

2016-08-25-Boleto-malspam-0609-UTC.eml (1,811 bytes)

2016-08-25-Boleto-malspam-0619-UTC.eml (1,851 bytes)

2016-08-25-Boleto-malspam-0754-UTC.eml (1,813 bytes)

2016-08-25-Boleto-malspam-0924-UTC.eml (1,790 bytes)

2016-08-25-Boleto-malspam-1436-UTC.eml (1,792 bytes)

2016-08-25-Boleto-campaign-malware-and-artifacts-from-infected-host.zip 1.5 MB (1,496,280 bytes)

5vz1qq4k.o45.vbs (7,775 bytes)

Ionic.Zip.Reduced.dll (253,440 bytes)

PEAUNUTS-PC.aes (16 bytes)

PEAUNUTS-PC.zip (1,079,295 bytes)

PSEXESVC.exe (189,792 bytes)

VCTO25082016aRkY5on8ngavKRcgtalgh2H2UEDGxnEi.vbs (1,098 bytes)

aaaaaaaaaaaa.xml (3,380 bytes)

dll.dll.exe (396,480 bytes)

hrxbrrvy.2ol.vbs (343 bytes)

tmp534E.tmp (11,548 bytes)

tmpBEAE.tmpps1 (3,460 bytes)

tmpEAF.tmp (11,548 bytes)

MY PREVIOUS DOCUMENTATION ON THIS CAMPAIGN:

2016-08-24 - Boleto campaign
2016-08-23 - Boleto campaign
2016-08-22 - Boleto campaign
2016-08-19 - Boleto campaign
2016-08-18 - Boleto campaign
2016-08-17 - Boleto campaign
2016-08-16 - Boleto campaign
2016-08-15 - Boleto campaign
2016-08-13 - Boleto campaign
2016-07-26 - Malspam hunt (one email at 2016-07-26 18:40 UTC)
2016-07-25 - Boleto campaign - Subject: Boleto de Cobranca - FIX - URGENTE

EMAILS

Shown above: Data from the spreadsheet (1 of 2).

Shown above: Data from the spreadsheet (2 of 2).

Shown above: Example of the emails.

EMAIL DETAILS

EXAMPLES OF SENDING EMAIL ADDRESSES:

cobranca@contratocobrancas[.]top
cobranca@entregaregistrada[.]top
financeiro@louislittadvocacia[.]top
financeiro@maxcobrancas[.]xyz
financeiro@paybackcobrancas[.]top

EXAMPLES OF SUBJECT LINES:

Boleto Bancario via eletronica - LLITT - URGENTE
Boleto Bancario via eletronica - MAXCOB - URGENTE
Boleto Bancario via eletronica - PAYBACK - URGENTE
Boleto de Cobranca - ENTREGA - URGENTE
Boleto de Cobranca - FIX - URGENTE

DOMAINS FROM LINKS IN THE EMAILS:

bolsender[.]top
contratocobrancas[.]top
entregaregistrada[.]top
envioanexado[.]top
enviogerenciado[.]top
envioregistrado.biz
senderbol[.]top

TRAFFIC

Shown above: Traffic from the pcap filtered in Wireshark.

ASSOCIATED DOMAINS:

cdnfiles.4shared[.]com - VBS file from download link in the malspam
65.181.125[.]193 port 80 - 65.181.125[.]193 - GET /a35new/w7.txt
65.181.125[.]193 port 80 - 65.181.125[.]193 - GET /a35new/aw7.tiff
65.181.125[.]193 port 80 - 65.181.125[.]193 - GET /a35new/w7.zip
65.181.113[.]187 port 80 - www.devyatinskiy[.]ru - HTTP callback traffic
65.181.125[.]193 port 80 - 65.181.125[.]193 - GET /a35new/dll.dll
65.181.125[.]193 port 80 - 65.181.125[.]193 - GET /a35new/dll.dll.exe
65.181.113[.]204 port 443 - ssl.houselannister[.]top - IRC traffic (botnet command and control)

imestre.danagas[.]ru - Response 192.64.147[.]142 - no follow-up UDP or TCP connection
imestre.noortakaful[.]top - No response
imestre.waridtelecom[.]top - No response
imestre.aduka[.]top - No response
imestre.saltflowinc[.]top - No response
imestre.moveoneinc[.]top - No response
imestre.cheddarmcmelt[.]top - No response
imestre.suzukiburgman[.]top - No response
imestre.houselannister[.]top - response: 127.0.0[.]1
xxxxxxxxxxx.localdomain - No response

Click here to return to the main page.