2017-11-28 - PAYMENT SLIP MALSPAM

ASSOCIATED FILES:

 

IMAGES

 

 

 

 

INDICATORS

EMAILS:

- Date: Tuesday, 2017-11-28 at 15:43 UTC
- Received: from smtp216t.alice.it ([82.57.200.96]
- From: "Carol Burnham" 
- Subject: Re: Payment Slip

- Date: Tuesday, 2017-11-28 at 16:23 UTC
- Received: from smtp214t.alice.it ([82.57.200.92])
- From: "Carol Burnham" 
- Subject: Re: Payment Slip

LINK IN THE EMAILS:

- hxxps://www.mediafire[.]com/file/r69l4qkaahm40f6/Payment%20Slip_ID_B03185.zip

POST-INFECTION TRAFFIC:

- 95.141.43.196 port 610 - oamentyga.duckdns.org - TCP traffic caused by Revenge RAT
- 95.141.43.196 port 1472 - oamentyga.duckdns.org - TCP traffic caused by Luminosity RAT
- port 80 - whatismyipaddress.com - IP address check by Predator Pain malware
- port 587 - smtp.inda.com - TLS email traffic caused by Predator Pain malware

MALWARE:

- SHA256 hash: 53e3cbff1c04746f5ad385962cc4df7d8b132ccbb02a848f9aa0c16f2f1e1feb
- File size: 233,506 bytes
- File name: Payment Slip_ID_B03185.zip
- File description: Password-protected zip archive downloaded from link in the malspam (password: Y2vQ9Bx)

- SHA256 hash: f3e6b995f18db127f03f5e6afe4c745086e0b8a83d9f381cc4541486e35e47c5
- File size: 353,051 bytes
- File name: Payment Slip_ID_B03185.scr
- File description: A malware downloader extracted from the above zip archive

- SHA256 hash: 142c6c638938cac678673a8ee85cb5b0b5e50702761221a5f3102697fb09ea11
- File size: 30,577 bytes
- File name: Payment Details_ID_B07185.pdf
- File description: Decoy PDF document displayed when malware is infecting the victim's host (not malicious)

- SHA256 hash: 766995f34c80eb0823cb61808f69c6cd26c791f329981190943c96cb508bc9a7
- File size: 659,456 bytes
- File location: C:\Users\[username]\AppData\Local\Temp\2011
- File location: C:\Users\[username]\AppData\Local\Temp\9258.tmp.exee
- File location: C:\Users\[username]\AppData\Roaming\Y.exe
- File description: Predator Pain/Hawkeye (detected by MSE as MSIL/Golroted.A)

- SHA256 hash: f714539bb5aec24d47180453c156a822cfeaed1ab94a2b847f434443c3f4365a
- File size: 195,584 bytes
- File location: C:\Users\[username]\AppData\Local\Temp\4881
- File location: C:\Users\[username]\AppData\Local\Temp\7140
- File location: C:\Users\[username]\AppData\Local\Temp\wm.exe
- File location: C:\Users\[username]\AppData\Roaming\tUMsK.exe
- File location: C:\Users\[username]\AppData\Roaming\Win.exe
- File description: Revenge RAT

- SHA256 hash: fa1ced1545b7eaf4e7e43608b37d3a6be714c2f61e512f62eeb2c345833b7ee7
- File size: 523,776 bytes
- File location: C:\ProgramData\748152\Windows.exe
- File location: C:\Users\[username]\AppData\Local\Temp\84488699.tmp.exe
- File location: C:\Users\[username]\AppData\Local\Temp\8551
- File location: C:\Users\[username]\AppData\Local\Temp\win.exe
- File location: C:\Users\[username]\AppData\Roaming\QrbbGtzO.exe
- File description: Luminosity Link RAT

 

FINAL NOTES

Once again, here are the associated files:

Zip and saz files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.