2016-08-13 - BOLETO MALSPAM

ASSOCIATED FILES:

• ZIP archive of the pcap:  2016-08-13-boleto-malspam-traffic.pcap.zip   1.0 MB (1,023,771 bytes)

• 2016-08-13-boleto-malspam-traffic.pcap   (1,490,007 bytes)

• ZIP archive of the CSV spreadsheet:  2016-08-13-boleto-malspam-data.csv.zip   1.2 kB (1,216 bytes)

• 2016-08-13-boleto-malspam-data.csv   (3,268 bytes)

• ZIP archive of the emails (collected on 2016-08-11):  2016-08-11-boleto-malspam-examples.zip   22.1 kB (22,109 bytes)

• 2016-08-11-2002-UTC-boleto-malspam.eml   (1,826 bytes)
• 2016-08-11-2021-UTC-boleto-malspam.eml   (1,839 bytes)
• 2016-08-11-2043-UTC-boleto-malspam.eml   (1,772 bytes)
• 2016-08-11-2056-UTC-boleto-malspam.eml   (1,807 bytes)
• 2016-08-11-2106-UTC-boleto-malspam.eml   (1,855 bytes)
• 2016-08-11-2120a-UTC-boleto-malspam.eml   (1,811 bytes)
• 2016-08-11-2120b-UTC-boleto-malspam.eml   (1,795 bytes)
• 2016-08-11-2123-UTC-boleto-malspam.eml   (1,803 bytes)
• 2016-08-11-2133-UTC-boleto-malspam.eml   (1,830 bytes)
• 2016-08-11-2134-UTC-boleto-malspam.eml   (1,826 bytes)
• 2016-08-11-2139-UTC-boleto-malspam.eml   (1,799 bytes)
• 2016-08-11-2206-UTC-boleto-malspam.eml   (1,807 bytes)
• 2016-08-11-2213-UTC-boleto-malspam.eml   (1,834 bytes)
• 2016-08-11-2238-UTC-boleto-malspam.eml   (1,811 bytes)
• 2016-08-11-2245-UTC-boleto-malspam.eml   (1,815 bytes)
• 2016-08-11-2325-UTC-boleto-malspam.eml   (3,659 bytes)
• 2016-08-11-2350-UTC-boleto-malspam.eml   (1,843 bytes)

• ZIP archive of the VBS file downloaded from all the 2016-08-11 emails on 2016-08-13:  VCTO11082016pTCy2RTDtr0dUIc0Cqetctg0GSj0Tntc.vbs.zip   764 bytes

• VCTO11082016pTCy2RTDtr0dUIc0Cqetctg0GSj0Tntc.vbs   (1,092 bytes)

NOTES:

• This is the same type of malspam I previously documented on 2016-07-25.
• Unfortunately, for this batch, I forgot to get copies of the follow-up malware from the infected host before I wiped it.
• I'm posting this data, so there's more documentation on this campaign.

 

EMAIL

Shown above:  Data from the spreadsheet (1 of 2).

 

Shown above:  Data from the spreadsheet (2 of 2).

 

TRAFFIC

Shown above:  Traffic from the pcap filtered in Wireshark.

 

ASSOCIATED DOMAINSDOMAINS:

• 65.181.125.20 port 80 - 65.181.125.20 - GET /a35/xos.txt
• 65.181.125.20 port 80 - 65.181.125.20 - GET /a35/a.tiff
• 65.181.113.187 port 80 - www.devyatinskiy.ru - Callback domain with several different URLs containing info about the victim host
• 65.181.113.204 port 80 - 65.181.113.204 - GET /flawless.zip
• 65.181.125.20 port 80 - 65.181.125.20 - GET /a35/dll.dll
• 65.181.125.20 port 80 - 65.181.125.20 - GET /a35/dll.dll.exe
• 65.181.113.204 port 443 - ssl.houselannister.top - IRC chat
• 198.105.244.228 port 443 - xxxxxxxxxxx.localdomain - attempted TCP connections [no response]

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2016-08-13-boleto-malspam-traffic.pcap.zip   1.0 MB (1,023,771 bytes)
• ZIP archive of the CSV spreadsheet:  2016-08-13-boleto-malspam-data.csv.zip   1.2 kB (1,216 bytes)
• ZIP archive of the emails (collected on 2016-08-11):  2016-08-11-boleto-malspam-examples.zip   22.1 kB (22,109 bytes)
• ZIP archive of the VBS file downloaded from all the 2016-08-11 emails on 2016-08-13:  VCTO11082016pTCy2RTDtr0dUIc0Cqetctg0GSj0Tntc.vbs.zip   764 bytes

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.