2017-08-28 - BOLETO MALSPAM - SUBJ: ENVIO DE BOLETO - URGENTE - GRUPO FREITAS

ASSOCIATED FILES:

  • 2017-08-28-Boleto-malspam-traffic.pcap   (3,645,873 bytes)
  • 1508201700016067882247230289631.pdf   (49,198 bytes)
  • 2017-08-28-Boleto-malspam-0629-UTC.eml   (68,408 bytes)
  • 2017-08-28-sched-task-for-persistence.txt   (3,376 bytes)
  • 2308201700026174031337009631980.vbs   (4,912 bytes)

NOTES:

 

EMAIL


Shown above:  Screenshot of the email.

 

EMAIL HEADERS:

 


Shown above:  Link seen in the PDF attachment.

 

TRAFFIC


Shown above:  Traffic from this infection filtered in Wireshark.

 

TRAFFIC SEEN USING LINK FROM THE EMAIL:

TRAFFIC SEEN USING LINK FROM THE ATTACHED PDF FILE:

ASSOCIATED DOMAINS AND POST-INFECTION TRAFFIC:

 

FILE HASHES

PDF ATTACHMENT:

DOWNLOADED VBS FILE:

 

IMAGES


Shown above:  Some of the unencrypted IRC traffic noted over TCP port 443.

 

FINAL NOTES

Once again, here are the associated files:

Zip files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.