2016-08-22 - BOLETO MALSPAM
ASSOCIATED FILES:
- ZIP archive of the pcap: 2016-08-22-boleto-malspam-infection-traffic.pcap.zip 1.3 MB (1,296,114 bytes)
- 2016-08-22-boleto-malspam-infection-traffic.pcap (1,814,956 bytes)
- ZIP archive of the CSV spreadsheets: 2016-08-22-boleto-malspam-spreadsheets.zip 2.2 kB (2,197 bytes)
- 2016-08-22-boleto-malspam-artifacts-information.csv (1,921 bytes)
- 2016-08-22-boleto-malspam-emails.csv (2,374 bytes)
- ZIP archive of the emails: 2016-08-22-boleto-malspam-emails.zip 15.6 kB (15,603 bytes)
- 2016-08-22-1205-UTC-boleto-malspam.eml (1,776 bytes)
- 2016-08-22-1212-UTC-boleto-malspam.eml (1,811 bytes)
- 2016-08-22-1213-UTC-boleto-malspam.eml (1,815 bytes)
- 2016-08-22-1217-UTC-boleto-malspam.eml (1,835 bytes)
- 2016-08-22-1226-UTC-boleto-malspam.eml (1,803 bytes)
- 2016-08-22-1227-UTC-boleto-malspam.eml (1,838 bytes)
- 2016-08-22-1236-UTC-boleto-malspam.eml (1,815 bytes)
- 2016-08-22-1243-UTC-boleto-malspam.eml (1,834 bytes)
- 2016-08-22-1248-UTC-boleto-malspam.eml (1,811 bytes)
- 2016-08-22-1249-UTC-boleto-malspam.eml (1,851 bytes)
- 2016-08-22-1318-UTC-boleto-malspam.eml (1,850 bytes)
- 2016-08-22-1326-UTC-boleto-malspam.eml (1,799 bytes)
- ZIP archive of artifacts from the infected host: 2016-08-22-boleto-malspam-artifacts-from-infected-host.zip 1.5 MB (1,494,357 bytes)
- Ionic.Zip.Reduced.dll (253,440 bytes)
- PSEXESVC.exe (189,792 bytes)
- VADER-PC.aes (16 bytes)
- VADER-PC.zip (1,079,289 bytes)
- VENC22082016yCXo92TVz0mndzIWH2SIwHAgsJZ1gncM.vbs (1,098 bytes)
- aaaaaaaaaaaa.xml (3,380 bytes)
- dll.dll.exe (396,480 bytes)
- gybxhaao.32w.vbs (343 bytes)
- hk4wmvwo.5bs.vbs (7,775 bytes)
- tmp51F8.tmpps1 (3,475 bytes)
- tmpAC55.tmp (11,548 bytes)
- tmpF103.tmp (11,548 bytes)
MY PREVIOUS DOCUMENTATION ON THIS CAMPAIGN:
- 2016-08-19 - Boleto malspam
- 2016-08-18 - Boleto malspam
- 2016-08-17 - Boleto malspam
- 2016-08-16 - Boleto malspam
- 2016-08-15 - Boleto malspam
- 2016-08-13 - Boleto malspam
- 2016-07-26 - Malspam hunt (one email at 2016-07-26 18:40 UTC)
- 2016-07-25 - Boleto malspam - Subject: Boleto de Cobranca - FIX - URGENTE
EMAILS
Shown above: Data from the spreadsheet (1 of 2).
Shown above: Data from the spreadsheet (2 of 2).
Shown above: Example of the emails.
EMAIL DETAILS
EXAMPLES OF SENDING EMAIL ADDRESSES:
- cobranca@contratocobrancas.top
- cobranca@entregaregistrada.top
- cobranca@globalcobranca.top
- financeiro@louislittadvocacia.top
- financeiro@maxcobrancas.xyz
- financeiro@paybackcobrancas.top
- financeiro@pearsonhardman.xyz
EXAMPLES OF SUBJECT LINES:
- Boleto Bancario via eletronica - LLITT - URGENTE
- Boleto Bancario via eletronica - MAXCOB - URGENTE
- Boleto Bancario via eletronica - PAYBACK - URGENTE
- Boleto Bancario via eletronica - PH ADVOGADOS - URGENTE
- Boleto de Cobranca - ENTREGA - URGENTE
- Boleto de Cobranca - FIX - URGENTE
- Boleto de Cobranca - GLOBAL - URGENTE
DOMAINS FROM LINKS IN THE EMAILS:
- anexo.top
- contratocobrancas.top
- entregacertificada.top
- entregaregistrada.top
- enviocomregistro.top
- envioregistrado.biz
- globalcobranca.top
- harveyspecter.top
- pearsonhardmanlitt.top
TRAFFIC
Shown above: Traffic from the pcap filtered in Wireshark.
ASSOCIATED DOMAINS:
- cdnfiles.4shared.com - VBS file from download link in the malspam
- 65.181.125.193 port 80 - 65.181.125.193 - GET /a35new/w7.txt
- 65.181.125.193 port 80 - 65.181.125.193 - GET /a35new/aw7.tiff
- 65.181.125.193 port 80 - 65.181.125.193 - GET /a35new/w7.zip
- 65.181.113.187 port 80 - www.devyatinskiy.ru - HTTP callback traffic
- 65.181.125.193 port 80 - 65.181.125.193 - GET /a35new/dll.dll
- 65.181.125.193 port 80 - 65.181.125.193 - GET /a35new/dll.dll.exe
- 65.181.113.204 port 443 - ssl.houselannister.top - IRC traffic (botnet command and control)
- imestre.danagas.ru - Response 192.64.147.142 - no follow-up UDP or TCP connection
- imestre.noortakaful.top - No response
- imestre.waridtelecom.top - No response
- imestre.aduka.top - No response
- imestre.saltflowinc.top - No response
- imestre.moveoneinc.top - No response
- imestre.cheddarmcmelt.top - No response
- imestre.suzukiburgman.top - No response
- imestre.houselannister.top - response: 127.0.0.1
- xxxxxxxxxxx.localdomain - No response
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2016-08-22-boleto-malspam-infection-traffic.pcap.zip 1.3 MB (1,296,114 bytes)
- ZIP archive of the CSV spreadsheets: 2016-08-22-boleto-malspam-spreadsheets.zip 2.2 kB (2,197 bytes)
- ZIP archive of the emails: 2016-08-22-boleto-malspam-emails.zip 15.6 kB (15,603 bytes)
- ZIP archive of artifacts from the infected host: 2016-08-22-boleto-malspam-artifacts-from-infected-host.zip 1.5 MB (1,494,357 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.