2018-04-02 - QUICK POST: NECURS BOTNET MALSPAM PUSHES QUANTLOADER AND FOLLOW-UP MALWARE

ASSOCIATED FILES:

 

NOTES:

 

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

IMAGES


Shown above:  Format error seen in emails from this wave of malspam.

 


Shown above:  SMB traffic from the extracted .url file to retrieve a .js file (filtered in Wireshark).

 


Shown above:  Saw 80 .js files from that server over SMB.

 


Shown above:  Traffic from my second infection filtered in Wireshark (just the HTTP requests).

 


Shown above:  GlobeImposter ransomware from my second infection attempt.

 


Shown above:  GlobeImposter decryptor.

 

Click here to return to the main page.