2016-08-16 - BOLETO MALSPAM
ASSOCIATED FILES:
- ZIP archive of the pcap: 2016-08-16-boleto-malspam-infection-traffic.pcap.zip 2.4 MB (2,376,539 bytes)
- 2016-08-16-boleto-malspam-infection-traffic.pcap (3,367,311 bytes)
- ZIP archive of the CSV spreadsheets: 2016-08-16-boleto-malspam-spreadsheets.zip 3.0 kB (3,030 bytes)
- 2016-08-16-boleto-malspam- artifacts-information.csv (3,227 bytes)
- 2016-08-16-boleto-malspam-emails.csv (3,827 bytes)
- ZIP archive of the emails: 2016-08-16-boleto-malspam-emails.zip 25.0 kB (24,968 bytes)
- 2016-08-16-1723-UTC-boleto-malspam.eml (1,826 bytes)
- 2016-08-16-1744-UTC-boleto-malspam.eml (1,843 bytes)
- 2016-08-16-1748-UTC-boleto-malspam.eml (1,834 bytes)
- 2016-08-16-1804-UTC-boleto-malspam.eml (1,826 bytes)
- 2016-08-16-1814-UTC-boleto-malspam.eml (1,836 bytes)
- 2016-08-16-1842-UTC-boleto-malspam.eml (1,812 bytes)
- 2016-08-16-1934-UTC-boleto-malspam.eml (1,791 bytes)
- 2016-08-16-1939-UTC-boleto-malspam.eml (1,804 bytes)
- 2016-08-16-2004-UTC-boleto-malspam.eml (1,803 bytes)
- 2016-08-16-2009-UTC-boleto-malspam.eml (1,832 bytes)
- 2016-08-16-2016-UTC-boleto-malspam.eml (1,811 bytes)
- 2016-08-16-2043-UTC-boleto-malspam.eml (1,838 bytes)
- 2016-08-16-2045-UTC-boleto-malspam.eml (1,807 bytes)
- 2016-08-16-2048-UTC-boleto-malspam.eml (1,845 bytes)
- 2016-08-16-2057-UTC-boleto-malspam.eml (1,807 bytes)
- 2016-08-16-2059-UTC-boleto-malspam.eml (1,835 bytes)
- 2016-08-16-2236-UTC-boleto-malspam.eml (1,799 bytes)
- 2016-08-16-2313-UTC-boleto-malspam.eml (1,836 bytes)
- 2016-08-16-2331-UTC-boleto-malspam.eml (1,828 bytes)
- ZIP archive of artifacts from the infected host: 2016-08-16-boleto-malspam-artifacts-from-infected-host.zip 1.3 MB (1,278,584 bytes)
- 0vwy5x5w.sxp.vbs (337 bytes)
- 24ec2c3h.m0r.vbs (337 bytes)
- 301ghajh.5rb.vbs (334 bytes)
- Ionic.Zip.Reduced.dll (253,440 bytes)
- SCOOBYDOO-PC.aes (16 bytes)
- SCOOBYDOO-PC.zip (964,004 bytes)
- SYSSCOOBYDOOPC35.xml (3,220 bytes)
- VENC15082016ffmud0qJIKUpZ0wTBSLZrIg8f86C7OuY.vbs (1,088 bytes)
- ctb4jdr2.dh1.vbs (337 bytes)
- dll.dll.exe (396,480 bytes)
- dps4f3n3.nzt.vbs (336 bytes)
- edoyjk0d.h1e.vbs (333 bytes)
- gtaak3kr.0vz.vbs (337 bytes)
- h4lvi4ka.cxo.vbs (337 bytes)
- hirsngu3.dv1.vbs (337 bytes)
- jorgxg12.xni.vbs (334 bytes)
- jve5betr.n45.vbs (333 bytes)
- jvqvnoqi.2sm.vbs (337 bytes)
- mmnzj3rr.oyz.vbs (7,843 bytes)
- v33fkxhy.2m3.vbs (336 bytes)
- zezmigbh.hxq.vbs (336 bytes)
EMAILS
Shown above: Data from the spreadsheet (1 of 2).
Shown above: Data from the spreadsheet (2 of 2).
Shown above: Example of the emails.
EMAIL DETAILS
EXAMPLES OF SENDING EMAIL ADDRESSES:
- cobranca@contratocobrancas.top
- cobranca@entregaregistrada.top
- financeiro@maxcobrancas.xyz
- financeiro@paybackcobrancas.top
- financeiro@pearsonhardman.xyz
EXAMPLES OF SUBJECT LINES:
- Boleto Bancario via eletronica - MAXCOB - URGENTE
- Boleto Bancario via eletronica - PAYBACK - URGENTE
- Boleto Bancario via eletronica - PH ADVOGADOS - URGENTE
- Boleto de Cobranca - ENTREGA - URGENTE
- Boleto de Cobranca - FIX - URGENTE
DOMAINS FROM LINKS IN THE EMAILS:
- anexo.top
- boljuridicaexpress.top
- cobjuridica.top
- contratocobrancas.top
- entregaexpress.top
- entregaregistrada.top
- envio.top
- envioanexo.top
- enviogerenciado.top
- envioregistrado.biz
- paguecontas.top
- pearsonhardmanlitt.top
TRAFFIC
Shown above: Traffic from the pcap filtered in Wireshark.
ASSOCIATED DOMAINS:
- cdnfiles.4shared.com - VBS file from download link in the malspam
- 65.181.125.20 port 80 - 65.181.125.20 - GET /a35/lol.txt
- 65.181.125.20 port 80 - 65.181.125.20 - GET /a35/a.tiff
- 65.181.113.204 port 80 - 65.181.113.204 - GET /flawless.zip
- 65.181.113.187 port 80 - www.devyatinskiy.ru - HTTP callback traffic
- 65.181.125.20 port 80 - 65.181.125.20 - GET /a35/dll.dll
- 65.181.125.20 port 80 - 65.181.125.20 - GET /a35/dll.dll.exe
- 65.181.113.204 port 443 - ssl.houselannister.top - IRC traffic (botnet command and control)
- 198.105.244.228 port 443 - xxxxxxxxxxx.localdomain - Attempted TCP connections RST by server
- imestre.danagas.ru - Response 192.64.147.142 - no follow-up UDP or TCP connection
- imestre.noortakaful.top - No response
- imestre.waridtelecom.top - No response
- imestre.aduka.top - No response
- imestre.saltflowinc.top - No response
- imestre.moveoneinc.top - No response
- imestre.cheddarmcmelt.top - No response
- imestre.suzukiburgman.top - No response
- imestre.houselannister.top - response: 127.0.0.1
- xxxxxxxxxxx.localdomain - No response
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2016-08-16-boleto-malspam-infection-traffic.pcap.zip 2.4 MB (2,376,539 bytes)
- ZIP archive of the CSV spreadsheets: 2016-08-16-boleto-malspam-spreadsheets.zip 3.0 kB (3,030 bytes)
- ZIP archive of the emails: 2016-08-16-boleto-malspam-emails.zip 25.0 kB (24,968 bytes)
- ZIP archive of artifacts from the infected host: 2016-08-16-boleto-malspam-artifacts-from-infected-host.zip 1.3 MB (1,278,584 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.