2016-08-23 - BOLETO CAMPAIGN

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Z2016-08-23-Boleto-campaign-infection-traffic.pcap.zip   1.3 MB (1,339,304 bytes)

• 2016-08-23-Boleto-campaign-infection-traffic.pcap   (1,963,004 bytes)

• 2016-08-23-Boleto-campaign-spreadsheets.zip   2.2 kB (2,158 bytes)

• 2016-08-23-Boleto-campaign-malware-and-artifacts-info.csv   (1,881 bytes)
• 2016-08-23-Boleto-campaign-malspam.csv   (2,363 bytes)

• 2016-08-23-Boleto-campaign-malspam.zip   15.6 kB (15,582 bytes)

• 2016-08-23-Boleto-malspam-0451-UTC.eml   (1,817 bytes)
• 2016-08-23-Boleto-malspam-0501-UTC.eml   (1,838 bytes)
• 2016-08-23-Boleto-malspam-0503-UTC.eml   (1,803 bytes)
• 2016-08-23-Boleto-malspam-0541-UTC.eml   (1,822 bytes)
• 2016-08-23-Boleto-malspam-0619-UTC.eml   (1,850 bytes)
• 2016-08-23-Boleto-malspam-0638-UTC.eml   (1,811 bytes)
• 2016-08-23-Boleto-malspam-0643-UTC.eml   (1,805 bytes)
• 2016-08-23-Boleto-malspam-0713-UTC.eml   (1,819 bytes)
• 2016-08-23-Boleto-malspam-0754-UTC.eml   (1,856 bytes)
• 2016-08-23-Boleto-malspam-0836-UTC.eml   (1,786 bytes)
• 2016-08-23-Boleto-malspam-0941-UTC.eml   (1,853 bytes)
• 2016-08-23-Boleto-malspam-1544-UTC.eml   (1,819 bytes)

• 2016-08-23-Boleto-campaign-malware-and-artifacts-from-infected-host.zip   1.5 MB (1,494,406 bytes)

• Ionic.Zip.Reduced.dll   (253,440 bytes)
• PSEXESVC.exe   (189,792 bytes)
• SPRINGFIELD-PC.aes   (16 bytes)
• SPRINGFIELD-PC.zip   (1,079,301 bytes)
• VCTO23082016pozmo4ozQS0aWjcgqOpMjOyKwYU6sDvQ.vbs   (1,098 bytes)
• aaaaaaaaaaaa.xml   (3,386 bytes)
• dll.dll.exe   (396,480 bytes)
• ij2yuclu.itw.vbs   (344 bytes)
• tmp15F3.tmpps1   (3,463 bytes)
• tmp2B35.tmp   (11,548 bytes)
• tmp7003.tmp   (11,548 bytes)
• wifopdhk.oja.vbs   (7,773 bytes)

 

MY PREVIOUS DOCUMENTATION ON THIS CAMPAIGN:

• 2016-08-22 - Boleto campaign
• 2016-08-19 - Boleto campaign
• 2016-08-18 - Boleto campaign
• 2016-08-17 - Boleto campaign
• 2016-08-16 - Boleto campaign
• 2016-08-15 - Boleto campaign
• 2016-08-13 - Boleto campaign
• 2016-07-26 - Malspam hunt (one email at 2016-07-26 18:40 UTC)
• 2016-07-25 - Boleto campaign - Subject: Boleto de Cobranca - FIX - URGENTE

 

EMAILS

Shown above:  Data from the spreadsheet (1 of 2).

 

Shown above:  Data from the spreadsheet (2 of 2).

 

Shown above:  Example of the emails.

 

EMAIL DETAILS

EXAMPLES OF SENDING EMAIL ADDRESSES:

• cobranca@contratocobrancas[.]top
• cobranca@entregaregistrada[.]top
• financeiro@louislittadvocacia[.]top
• financeiro@maxcobrancas[.]xyz
• financeiro@paybackcobrancas[.]top

 

EXAMPLES OF SUBJECT LINES:

• Boleto Bancario via eletronica - LLITT - URGENTE
• Boleto Bancario via eletronica - MAXCOB - URGENTE
• Boleto Bancario via eletronica - PAYBACK - URGENTE
• Boleto de Cobranca - ENTREGA - URGENTE
• Boleto de Cobranca - FIX - URGENTE

 

DOMAINS FROM LINKS IN THE EMAILS:

• bolsender[.]top
• contratocobrancas[.]top
• entregaregistrada[.]top
• envioanexado[.]top
• enviocomregistro[.]top
• envioregistrado[.]biz
• harveyspecter[.]top
• jessicapearson[.]top

 

TRAFFIC

Shown above:  Traffic from the pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• cdnfiles.4shared[.]com - VBS file from download link in the malspam
• 65.181.125[.]193 port 80 - 65.181.125[.]193 - GET /a35new/w7.txt
• 65.181.125[.]193 port 80 - 65.181.125[.]193 - GET /a35new/aw7.tiff
• 65.181.125[.]193 port 80 - 65.181.125[.]193 - GET /a35new/w7.zip
• 65.181.113[.]187 port 80 - www.devyatinskiy[.]ru- HTTP callback traffic
• 65.181.125[.]193 port 80 - 65.181.125[.]193 - GET /a35new/dll.dll
• 65.181.125[.]193 port 80 - 65.181.125[.]193 - GET /a35new/dll.dll.exe
• 65.181.113[.]204 port 443 - ssl.houselannister[.]top - IRC traffic (botnet command and control)

• imestre.danagas[.]ru- Response 192.64.147[.]142 - no follow-up UDP or TCP connection
• imestre.noortakaful[.]top - No response
• imestre.waridtelecom[.]top - No response
• imestre.aduka[.]top - No response
• imestre.saltflowinc[.]top - No response
• imestre.moveoneinc[.]top - No response
• imestre.cheddarmcmelt[.]top - No response
• imestre.suzukiburgman[.]top - No response
• imestre.houselannister[.]top - response: 127.0.0[.]1
• xxxxxxxxxxx.localdomain - No response

 

Click here to return to the main page.