2017-03-22 - PORTUGUESE INVOICE MALSPAM

ASSOCIATED FILES:

  • 2017-03-22-Portuguese-invoice-malspam-traffic.pcap   (9,499,306 bytes)
  • ZIP archive of the emails:  2017-03-22-Portuguese-invoice-malspam-examples.zip   3.9 kB (3,942 bytes)
    • 2017-03-22-NF-e-malspam-0152-UTC.eml   (2,235 bytes)
    • 2017-03-22-NF-e-malspam-1404-UTC.eml   (2,259 bytes)
    • 2017-03-22-NF-e-malspam-1508-UTC.eml   (2,257 bytes)

     

    EMAILS


    Shown above:  An example of the emails.

     

    SUBJECT LINES:

     

    TRAFFIC


    Shown above:  Pcap of the infection traffic filtered in Wireshark.

     

    DOWNLOAD URLS FROM THE EMAILS:

    INFECTION ATTEMPT:

     

    FILE HASHES

    DOWNLOADED ZIP ARCHIVE FROM LINK IN THE EMAIL:

    EXTRACTED MALWARE:

    FOLLOW-UP DOWNLOAD ON INFECTED HOST:

     

    IMAGES


    Shown above:  Malware from the link in the email.

     


    Shown above:  Malware seen on the infected host.

     

    FINAL NOTES

    Once again, here are the associated files:

    ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

    Click here to return to the main page.