2018-04-23 - DHL-THEMED MALSPAM PUSHES AGENT TESLA - A SOMEWHAT SLOPPY JOB

ASSOCIATED FILES:

NOTES:


Shown above:  Haha!  plumberspro.us is open to the world.  (I added Peter Griffin to the image.  That's not part of the site.)

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains:

 

EMAIL


Shown above:  Screenshot of the email.

 

EMAIL HEADERS:

Received: from thaibev.com ([111.90.138.79]) by [removed] for [removed];
     Mon, 23 Apr 2018 14:00:14 +0000 (UTC)
From: DHL<info@thaibev.com>
To: [removed]
Subject: Your shippment Is Ready For Pick Up!!!
Date: 23 Apr 2018 21:59:50 +0800
Message-ID: <20180423215950.76829663E81D16CB@thaibev.com>
MIME-Version: 1.0

 


Shown above:  Malicious Word document downloaded from link in the malspam.

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 


Shown above:  Some alerts from Sguil in Security Onion using Suricata and the EmergingThreats Pro (ETPRO) ruleset.

 

NETWORK TRAFFIC FROM AN INFECTED LAB HOST:

 

FILE HASHES

MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:

 


Shown above:  Malware found persistent on an infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.