Malware-Traffic-Analysis.net - 2016-07-25 - Boleto malspam - Subject: Boleto de Cobranca - FIX

2016-07-25 - BOLETO MALSPAM - SUBJECT: BOLETO DE COBRANCA - FIX - URGENTE

ASSOCIATED FILES:

2016-07-25-boleto-malspam-traffic-from-malware.pcap (1,311,600 bytes)

ZIP archive of the malware: 2016-07-25-boleto-malspam-email-and-vbs.zip 1.7 kB (1,725 bytes)

2016-07-25-boleto-malspam.eml (1,458 bytes)

VENC25072016axZ5MUdyYrNCCIIins5Chept7INWARCL.vbs (1,104 bytes)

NOTES:

I've seen this at least once before, so I though I'd document it.
You'll need to run the .vbs file in a test environment or sandbox to get samples of the dropped .dll and .exe files.

Shown above: Screenshot of the email.

Shown above: Some headers from the email.

Shown above: .vbs file hosted on 4shared.com.

Shown above: A pop-up windows that appears at some point after running the .vbs file.

Shown above: Traffic from the second pcap filtered in Wireshark.

SOME OF THE DOMAINS:

65.181.125.195 port 80 - nyckgr9u.contratocobrancas.top - has URL that redirects to 4shared.com hosting .vbs file
65.181.125.20 port 80 - 65.181.125.20 - Follow-up malware
65.181.113.203 port 80 - 65.181.113.203 - Follow-up malware
158.69.99.213 port 80 - www.ruthless.sexy - Callback traffic from infected host
65.181.113.187 port 80 - api.devyatinskiy.ru - More callback traffic from the infected host

SOME ARTIFACTS SEEN ON THE INFECTED HOST:

Shown above: The SYS[hostname].exe file persistent on the infected host.

Once again, here are the associated files:

ZIP archive of the pcaps: 2016-07-25-boleto-malspam-traffic-from-malware.pcap.zip 1.0 MB (1,039,843 bytes)
ZIP archive of the malware: 2016-07-25-boleto-malspam-email-and-vbs.zip 1.7 kB (1,725 bytes)

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.