2017-04-21 - USPS-THEMED MALSPAM CHANGES TO PARKING SERVICE MALSPAM

ASSOCIATED FILES:

BACKGROUND ON THIS CAMPAIGN:

NOTES FOR TODAY:

 

IMAGES

 

EMAILS

DATE/TIME:  Friday 2017-04-21 as early as 14:49 UTC through at least 17:55 UTC

SUBJECT:  Report-ID: [recipient's email address] 21/04/2017

SENDING EMAIL EXAMPLES (ALL SPOOFED):

 

TRAFFIC

EXAMPLES OF LINKS FROM THE EMAILS:

REDIRECT FROM THE EMAIL LINKS:

FAKE PARKING SERVICES SITE:

PARTIAL URLS FROM THE EXTRACTED .JS FILES FOR FOLLOWUP MALWARE:

 

FILE HASHES

FAKE INVOICES:

SHA256 hash:  20e6c812f7d8688c9ccb24cc4e9c0fa2b71f1770f38b5571a60043043d4b4ac5
File name:  Invoice.js (1st run)
Analysis at:  https://www.reverse.it/sample/20e6c812f7d8688c9ccb24cc4e9c0fa2b71f1770f38b5571a60043043d4b4ac5?environmentId=100
SHA256 hash:  6ad0e26e0423838df19f00e178e47a1b65395b2b68055ecb07a99613208cc684
File name:  Invoice.js (2nd run)
Analysis at:  https://www.reverse.it/sample/6ad0e26e0423838df19f00e178e47a1b65395b2b68055ecb07a99613208cc684?environmentId=100

FOLLOW-UP MALWARE:

SHA256 hash:  545e3817ddeafd7b8406c1de57d6ea794629bf615f22c0ed18bf88c16e2d292d
File name:  exe1.exe (1st run)
File description:  Zeus Panda Banker (KINS)
SHA256 hash:  03974017388c6085175f111ee26c3833448b0551acf11063a13a916a75844321
File name:  exe2.exe (1st run)
File description:  Kovter
SHA256 hash:  1a7fbc76c3881cd9dcf292db25790a9aba6bf677308f9ea1b8f252657bc9c16c
File name:  exe3.exe (1st run)
File description:  Smoke Loader
SHA256 hash:  a4916151059e5f4065f1fb230f06205d1c9cddc5c779984b108e77a22e7c32e9
File name:  exe1.exe (2nd run)
File description:  Zeus Panda Banker (KINS)
SHA256 hash:  b1da6f66bf8049e58f17862ea5ca30bf27054ebb132e6360a68083bab640b70f
File name:  exe2.exe (2nd run)
File description:  Kovter
SHA256 hash:  08c462be614f6ac81cf78a59f254737beabb5c2abddc5b4bf6436e7d105c204a
File name:  exe3.exe (2nd run)
File description:  Smoke Loader

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.