2017-07-12 - BRAZIL MALSPAM - SUBJECT: ULTIMO AVISO DA 2a VIA BOLETO EM ATRASO

ASSOCIATED FILES:

  • 2017-07-12-Brazil-boleto-malspam-traffic.pcap   (7,857,287 bytes)
  • 2017-07-12-malspam-1555-UTC.eml   (681 bytes)
  • HInteW.exe   (1,011,200 bytes)
  • Imprimir_Via2.com   (2,990,080 bytes)
  • Imprimir_Via2.zip   (1,077,419 bytes)
  • Struct.dll   (5,004,288 bytes)
  • hP0EFY6CTgqU60MWLaSZFQ.png   (35,932 bytes)
  • oct.dll   (21 bytes)
  • readme.txt   (613 bytes)

 

EMAIL

EMAIL HEADER INFO:

 


Shown above:  Screenshot from the email.

 


Shown above:  Malicious zip archive and extracted binary after clicking link from the malspam.

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS AND URLS:

 

FILE HASHES

ZIP ARCHIVE AFTER CLICKING LINK FROM THE EMAIL:

EXTRACTED BINARY FROM ZIP ARCHIVE:

MALWARE RETRIEVED FROM THE INFECTED HOST:

 

IMAGES


Shown above:  Artifacts left on the infected host.

 


Shown above:  oct.dll is a very small text file.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.