2016-08-16 - BOLETO MALSPAM

ASSOCIATED FILES:

• ZIP archive of the pcap:  2016-08-16-boleto-malspam-infection-traffic.pcap.zip   2.4 MB (2,376,539 bytes)

• 2016-08-16-boleto-malspam-infection-traffic.pcap   (3,367,311 bytes)

• ZIP archive of the CSV spreadsheets:  2016-08-16-boleto-malspam-spreadsheets.zip   3.0 kB (3,030 bytes)

• 2016-08-16-boleto-malspam- artifacts-information.csv   (3,227 bytes)
• 2016-08-16-boleto-malspam-emails.csv   (3,827 bytes)

• ZIP archive of the emails:  2016-08-16-boleto-malspam-emails.zip   25.0 kB (24,968 bytes)

• 2016-08-16-1723-UTC-boleto-malspam.eml   (1,826 bytes)
• 2016-08-16-1744-UTC-boleto-malspam.eml   (1,843 bytes)
• 2016-08-16-1748-UTC-boleto-malspam.eml   (1,834 bytes)
• 2016-08-16-1804-UTC-boleto-malspam.eml   (1,826 bytes)
• 2016-08-16-1814-UTC-boleto-malspam.eml   (1,836 bytes)
• 2016-08-16-1842-UTC-boleto-malspam.eml   (1,812 bytes)
• 2016-08-16-1934-UTC-boleto-malspam.eml   (1,791 bytes)
• 2016-08-16-1939-UTC-boleto-malspam.eml   (1,804 bytes)
• 2016-08-16-2004-UTC-boleto-malspam.eml   (1,803 bytes)
• 2016-08-16-2009-UTC-boleto-malspam.eml   (1,832 bytes)
• 2016-08-16-2016-UTC-boleto-malspam.eml   (1,811 bytes)
• 2016-08-16-2043-UTC-boleto-malspam.eml   (1,838 bytes)
• 2016-08-16-2045-UTC-boleto-malspam.eml   (1,807 bytes)
• 2016-08-16-2048-UTC-boleto-malspam.eml   (1,845 bytes)
• 2016-08-16-2057-UTC-boleto-malspam.eml   (1,807 bytes)
• 2016-08-16-2059-UTC-boleto-malspam.eml   (1,835 bytes)
• 2016-08-16-2236-UTC-boleto-malspam.eml   (1,799 bytes)
• 2016-08-16-2313-UTC-boleto-malspam.eml   (1,836 bytes)
• 2016-08-16-2331-UTC-boleto-malspam.eml   (1,828 bytes)

• ZIP archive of artifacts from the infected host:  2016-08-16-boleto-malspam-artifacts-from-infected-host.zip   1.3 MB (1,278,584 bytes)

• 0vwy5x5w.sxp.vbs   (337 bytes)
• 24ec2c3h.m0r.vbs   (337 bytes)
• 301ghajh.5rb.vbs   (334 bytes)
• Ionic.Zip.Reduced.dll   (253,440 bytes)
• SCOOBYDOO-PC.aes   (16 bytes)
• SCOOBYDOO-PC.zip   (964,004 bytes)
• SYSSCOOBYDOOPC35.xml   (3,220 bytes)
• VENC15082016ffmud0qJIKUpZ0wTBSLZrIg8f86C7OuY.vbs   (1,088 bytes)
• ctb4jdr2.dh1.vbs   (337 bytes)
• dll.dll.exe   (396,480 bytes)
• dps4f3n3.nzt.vbs   (336 bytes)
• edoyjk0d.h1e.vbs   (333 bytes)
• gtaak3kr.0vz.vbs   (337 bytes)
• h4lvi4ka.cxo.vbs   (337 bytes)
• hirsngu3.dv1.vbs   (337 bytes)
• jorgxg12.xni.vbs   (334 bytes)
• jve5betr.n45.vbs   (333 bytes)
• jvqvnoqi.2sm.vbs   (337 bytes)
• mmnzj3rr.oyz.vbs   (7,843 bytes)
• v33fkxhy.2m3.vbs   (336 bytes)
• zezmigbh.hxq.vbs   (336 bytes)

 

EMAILS

Shown above:  Data from the spreadsheet (1 of 2).

 

Shown above:  Data from the spreadsheet (2 of 2).

 

Shown above:  Example of the emails.

 

EMAIL DETAILS

EXAMPLES OF SENDING EMAIL ADDRESSES:

• cobranca@contratocobrancas.top
• cobranca@entregaregistrada.top
• financeiro@maxcobrancas.xyz
• financeiro@paybackcobrancas.top
• financeiro@pearsonhardman.xyz

 

EXAMPLES OF SUBJECT LINES:

• Boleto Bancario via eletronica - MAXCOB - URGENTE
• Boleto Bancario via eletronica - PAYBACK - URGENTE
• Boleto Bancario via eletronica - PH ADVOGADOS - URGENTE
• Boleto de Cobranca - ENTREGA - URGENTE
• Boleto de Cobranca - FIX - URGENTE

 

DOMAINS FROM LINKS IN THE EMAILS:

• anexo.top
• boljuridicaexpress.top
• cobjuridica.top
• contratocobrancas.top
• entregaexpress.top
• entregaregistrada.top
• envio.top
• envioanexo.top
• enviogerenciado.top
• envioregistrado.biz
• paguecontas.top
• pearsonhardmanlitt.top

 

TRAFFIC

Shown above:  Traffic from the pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• cdnfiles.4shared.com - VBS file from download link in the malspam
• 65.181.125.20 port 80 - 65.181.125.20 - GET /a35/lol.txt
• 65.181.125.20 port 80 - 65.181.125.20 - GET /a35/a.tiff
• 65.181.113.204 port 80 - 65.181.113.204 - GET /flawless.zip
• 65.181.113.187 port 80 - www.devyatinskiy.ru - HTTP callback traffic
• 65.181.125.20 port 80 - 65.181.125.20 - GET /a35/dll.dll
• 65.181.125.20 port 80 - 65.181.125.20 - GET /a35/dll.dll.exe
• 65.181.113.204 port 443 - ssl.houselannister.top - IRC traffic (botnet command and control)
• 198.105.244.228 port 443 - xxxxxxxxxxx.localdomain - Attempted TCP connections RST by server

• imestre.danagas.ru - Response 192.64.147.142 - no follow-up UDP or TCP connection
• imestre.noortakaful.top - No response
• imestre.waridtelecom.top - No response
• imestre.aduka.top - No response
• imestre.saltflowinc.top - No response
• imestre.moveoneinc.top - No response
• imestre.cheddarmcmelt.top - No response
• imestre.suzukiburgman.top - No response
• imestre.houselannister.top - response: 127.0.0.1
• xxxxxxxxxxx.localdomain - No response

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2016-08-16-boleto-malspam-infection-traffic.pcap.zip   2.4 MB (2,376,539 bytes)
• ZIP archive of the CSV spreadsheets:  2016-08-16-boleto-malspam-spreadsheets.zip   3.0 kB (3,030 bytes)
• ZIP archive of the emails:  2016-08-16-boleto-malspam-emails.zip   25.0 kB (24,968 bytes)
• ZIP archive of artifacts from the infected host:  2016-08-16-boleto-malspam-artifacts-from-infected-host.zip   1.3 MB (1,278,584 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.