2017-08-19 - BRAZIL MALSPAM PUSHES BANKING TROJAN - SUBJECT: AVISO DE INCLUSAO DE PROTESTO

ASSOCIATED FILES:

  • 2017-08-19-Boleto-malspam-traffic.pcap   (7,476,902 bytes)
  • 2017-08-19-Boleto-malspam-traffic.saz   (4,066,895 bytes)
  • 2017-08-18-Boleto-malspam-1953-UTC.eml   (1,365 bytes)
  • 2xmsnQhrfv30kvk.dll   (2,857,872 bytes)
  • BolProa000121594984151521000.exe   (1,389,680 bytes)
  • BolProa000121594984151521000.zip   (1,331,113 bytes)

 

NOTES:

 

EMAIL

EMAIL INFORMATION:

Date:  Friday, 2017-08-18 at 19:53 UTC
From:  [spoofed as recipient's email address]
Subject:  Aviso de Inclusao De Protesto  - [ 91046614  ]
Google translation of subject:  Notice of Prohibition Inclusion  - [ 91046614  ]
Link from the email:  hxxps://goo.gl/vRbyXM

 

MESSAGE TEXT:

Estimado Cliente(a),

Estou encaminhando para conhecimento a inclusão do protesto em cartório do boleto aqui especificado.

Boleto_PDF Visualizar Boleto

Este email foi escaneado pelo Avast antivirus.

 

GOOGLE TRANSLATION OF MESSAGE TEXT:

Dear Customer,

I am referring to the inclusion of the protest in the ticket office of the ticket specified here.

Boleto_PDF View Boleto

This email was scanned by Avast antivirus.

 


Shown above:  Screenshot from the email.

 


Shown above:  Malicious zip archive after clicking link from the malspam.

 


Shown above:  Extracted malware from the zip archive.

 

TRAFFIC


Shown above:  Fiddler recording of the traffic.

 


Shown above:  Traffic from the infection filtered in Wireshark.

 

URLS FROM THE INFECTION TRAFFIC:

 

FILE HASHES

ZIP ARCHIVE AFTER CLICKING LINK FROM THE EMAIL:

EXTRACTED BINARY FROM ZIP ARCHIVE:

MALWARE RETRIEVED FROM THE INFECTED HOST:

WINDOWS REGISTRY UPDATE

 

IMAGES


Shown above:  Malware persistent on the infected host.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.