2016-08-25 - BOLETO MALSPAM

ASSOCIATED FILES:

  • 2016-08-25-boleto-malspam-infection-traffic.pcap   (1,883,162 bytes)
  • 2016-08-25-boleto-malspam-artifacts-information.csv   (1,862 bytes)
  • 2016-08-25-boleto-malspam-emails.csv   (1,862 bytes)
  • 2016-08-25-0438-UTC-boleto-malspam.eml   (1,850 bytes)
  • 2016-08-25-0506-UTC-boleto-malspam.eml   (1,803 bytes)
  • 2016-08-25-0513-UTC-boleto-malspam.eml   (1,807 bytes)
  • 2016-08-25-0529-UTC-boleto-malspam.eml   (1,830 bytes)
  • 2016-08-25-0600-UTC-boleto-malspam.eml   (1,812 bytes)
  • 2016-08-25-0609-UTC-boleto-malspam.eml   (1,811 bytes)
  • 2016-08-25-0619-UTC-boleto-malspam.eml   (1,851 bytes)
  • 2016-08-25-0754-UTC-boleto-malspam.eml   (1,813 bytes)
  • 2016-08-25-0924-UTC-boleto-malspam.eml   (1,790 bytes)
  • 2016-08-25-1436-UTC-boleto-malspam.eml   (1,792 bytes)
  • 5vz1qq4k.o45.vbs   (7,775 bytes)
  • Ionic.Zip.Reduced.dll   (253,440 bytes)
  • PEAUNUTS-PC.aes   (16 bytes)
  • PEAUNUTS-PC.zip   (1,079,295 bytes)
  • PSEXESVC.exe   (189,792 bytes)
  • VCTO25082016aRkY5on8ngavKRcgtalgh2H2UEDGxnEi.vbs   (1,098 bytes)
  • aaaaaaaaaaaa.xml   (3,380 bytes)
  • dll.dll.exe   (396,480 bytes)
  • hrxbrrvy.2ol.vbs   (343 bytes)
  • tmp534E.tmp   (11,548 bytes)
  • tmpBEAE.tmpps1   (3,460 bytes)
  • tmpEAF.tmp   (11,548 bytes)

 

MY PREVIOUS DOCUMENTATION ON THIS CAMPAIGN:

 

EMAILS


Shown above:  Data from the spreadsheet (1 of 2).

 


Shown above:  Data from the spreadsheet (2 of 2).

 


Shown above:  Example of the emails.

 

EMAIL DETAILS

EXAMPLES OF SENDING EMAIL ADDRESSES:

 

EXAMPLES OF SUBJECT LINES:

 

DOMAINS FROM LINKS IN THE EMAILS:

 

TRAFFIC


Shown above:  Traffic from the pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.