2016-08-22 - BOLETO MALSPAM

ASSOCIATED FILES:

• ZIP archive of the pcap:  2016-08-22-boleto-malspam-infection-traffic.pcap.zip   1.3 MB (1,296,114 bytes)

• 2016-08-22-boleto-malspam-infection-traffic.pcap   (1,814,956 bytes)

• ZIP archive of the CSV spreadsheets:  2016-08-22-boleto-malspam-spreadsheets.zip   2.2 kB (2,197 bytes)

• 2016-08-22-boleto-malspam-artifacts-information.csv   (1,921 bytes)
• 2016-08-22-boleto-malspam-emails.csv   (2,374 bytes)

• ZIP archive of the emails:  2016-08-22-boleto-malspam-emails.zip   15.6 kB (15,603 bytes)

• 2016-08-22-1205-UTC-boleto-malspam.eml   (1,776 bytes)
• 2016-08-22-1212-UTC-boleto-malspam.eml   (1,811 bytes)
• 2016-08-22-1213-UTC-boleto-malspam.eml   (1,815 bytes)
• 2016-08-22-1217-UTC-boleto-malspam.eml   (1,835 bytes)
• 2016-08-22-1226-UTC-boleto-malspam.eml   (1,803 bytes)
• 2016-08-22-1227-UTC-boleto-malspam.eml   (1,838 bytes)
• 2016-08-22-1236-UTC-boleto-malspam.eml   (1,815 bytes)
• 2016-08-22-1243-UTC-boleto-malspam.eml   (1,834 bytes)
• 2016-08-22-1248-UTC-boleto-malspam.eml   (1,811 bytes)
• 2016-08-22-1249-UTC-boleto-malspam.eml   (1,851 bytes)
• 2016-08-22-1318-UTC-boleto-malspam.eml   (1,850 bytes)
• 2016-08-22-1326-UTC-boleto-malspam.eml   (1,799 bytes)

• ZIP archive of artifacts from the infected host:  2016-08-22-boleto-malspam-artifacts-from-infected-host.zip   1.5 MB (1,494,357 bytes)

• Ionic.Zip.Reduced.dll   (253,440 bytes)
• PSEXESVC.exe   (189,792 bytes)
• VADER-PC.aes   (16 bytes)
• VADER-PC.zip   (1,079,289 bytes)
• VENC22082016yCXo92TVz0mndzIWH2SIwHAgsJZ1gncM.vbs   (1,098 bytes)
• aaaaaaaaaaaa.xml   (3,380 bytes)
• dll.dll.exe   (396,480 bytes)
• gybxhaao.32w.vbs   (343 bytes)
• hk4wmvwo.5bs.vbs   (7,775 bytes)
• tmp51F8.tmpps1   (3,475 bytes)
• tmpAC55.tmp   (11,548 bytes)
• tmpF103.tmp   (11,548 bytes)

 

MY PREVIOUS DOCUMENTATION ON THIS CAMPAIGN:

• 2016-08-19 - Boleto malspam
• 2016-08-18 - Boleto malspam
• 2016-08-17 - Boleto malspam
• 2016-08-16 - Boleto malspam
• 2016-08-15 - Boleto malspam
• 2016-08-13 - Boleto malspam
• 2016-07-26 - Malspam hunt (one email at 2016-07-26 18:40 UTC)
• 2016-07-25 - Boleto malspam - Subject: Boleto de Cobranca - FIX - URGENTE

 

EMAILS

Shown above:  Data from the spreadsheet (1 of 2).

 

Shown above:  Data from the spreadsheet (2 of 2).

 

Shown above:  Example of the emails.

 

EMAIL DETAILS

EXAMPLES OF SENDING EMAIL ADDRESSES:

• cobranca@contratocobrancas.top
• cobranca@entregaregistrada.top
• cobranca@globalcobranca.top
• financeiro@louislittadvocacia.top
• financeiro@maxcobrancas.xyz
• financeiro@paybackcobrancas.top
• financeiro@pearsonhardman.xyz

 

EXAMPLES OF SUBJECT LINES:

• Boleto Bancario via eletronica - LLITT - URGENTE
• Boleto Bancario via eletronica - MAXCOB - URGENTE
• Boleto Bancario via eletronica - PAYBACK - URGENTE
• Boleto Bancario via eletronica - PH ADVOGADOS - URGENTE
• Boleto de Cobranca - ENTREGA - URGENTE
• Boleto de Cobranca - FIX - URGENTE
• Boleto de Cobranca - GLOBAL - URGENTE

 

DOMAINS FROM LINKS IN THE EMAILS:

• anexo.top
• contratocobrancas.top
• entregacertificada.top
• entregaregistrada.top
• enviocomregistro.top
• envioregistrado.biz
• globalcobranca.top
• harveyspecter.top
• pearsonhardmanlitt.top

 

TRAFFIC

Shown above:  Traffic from the pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• cdnfiles.4shared.com - VBS file from download link in the malspam
• 65.181.125.193 port 80 - 65.181.125.193 - GET /a35new/w7.txt
• 65.181.125.193 port 80 - 65.181.125.193 - GET /a35new/aw7.tiff
• 65.181.125.193 port 80 - 65.181.125.193 - GET /a35new/w7.zip
• 65.181.113.187 port 80 - www.devyatinskiy.ru - HTTP callback traffic
• 65.181.125.193 port 80 - 65.181.125.193 - GET /a35new/dll.dll
• 65.181.125.193 port 80 - 65.181.125.193 - GET /a35new/dll.dll.exe
• 65.181.113.204 port 443 - ssl.houselannister.top - IRC traffic (botnet command and control)

• imestre.danagas.ru - Response 192.64.147.142 - no follow-up UDP or TCP connection
• imestre.noortakaful.top - No response
• imestre.waridtelecom.top - No response
• imestre.aduka.top - No response
• imestre.saltflowinc.top - No response
• imestre.moveoneinc.top - No response
• imestre.cheddarmcmelt.top - No response
• imestre.suzukiburgman.top - No response
• imestre.houselannister.top - response: 127.0.0.1
• xxxxxxxxxxx.localdomain - No response

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2016-08-22-boleto-malspam-infection-traffic.pcap.zip   1.3 MB (1,296,114 bytes)
• ZIP archive of the CSV spreadsheets:  2016-08-22-boleto-malspam-spreadsheets.zip   2.2 kB (2,197 bytes)
• ZIP archive of the emails:  2016-08-22-boleto-malspam-emails.zip   15.6 kB (15,603 bytes)
• ZIP archive of artifacts from the infected host:  2016-08-22-boleto-malspam-artifacts-from-infected-host.zip   1.5 MB (1,494,357 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.