2016-09-21 - BOLETO MALSPAM
ASSOCIATED FILES:
- ZIP archive of the pcap: 2016-09-21-boleto-malspam-infection-traffic.pcap.zip 1.4 MB (1,380,533 bytes)
- 2016-09-21-boleto-malspam-infection-traffic.pcap (1,874,946 bytes)
- ZIP archive of the email and malware/artifacts: 2016-09-21-boleto-malspam-email-and-artifacts.zip 1.4 MB (1,398,504 bytes)
- 1ru5a5ow.axo.vbs (7,775 bytes)
- 2016-09-21-boleto-malspam-artifacts-information.csv (1,977 bytes)
- 2016-09-21-boleto-malspam-email.eml (1,838 bytes)
- 5vieed1p.pad.vbs (338 bytes)
- DRACULA-PC.aes (16 bytes)
- DRACULA-PC.zip (1,079,293 bytes)
- Ionic.Zip.Reduced.dll (253,440 bytes)
- VCTO20097H3TOPyneOpr01jtiKs1iRdVptbVON3n7.vbs (1,084 bytes)
- aaaaaaaaaaaa.xml (3,374 bytes)
- dll.dll.exe (396,480 bytes)
- tmp42DA.tmp (11,548 bytes)
- tmp6124.tmp (0 bytes)
- tmp6124.tmpps1 (3,447 bytes)
- tmpC9B4.tmp (11,548 bytes)
EMAILS
Shown above: Screen shot of the email.
TRAFFIC
Shown above: Traffic from the pcap filtered in Wireshark.
ASSOCIATED DOMAINS:
- 4shared.com - VBS file from download link in the malspam
- 65.181.125.193 port 80 - 65.181.125.193 - GET /a35new/w7.txt
- 65.181.125.193 port 80 - 65.181.125.193 - GET /a35new/aw7.tiff
- 65.181.125.193 port 80 - 65.181.125.193 - GET /a35new/w7.zip
- 65.181.113.187 port 80 - www.devyatinskiy.ru - HTTP callback traffic
- 65.181.125.193 port 80 - 65.181.125.193 - GET /a35new/dll.dll
- 65.181.125.193 port 80 - 65.181.125.193 - GET /a35new/dll.dll.exe
- 65.181.113.204 port 443 - ssl.houselannister.top - IRC traffic (botnet command and control)
- imestre.danagas.ru - Response 192.64.147.142 - no follow-up UDP or TCP connection
- imestre.noortakaful.top - No response
- imestre.waridtelecom.top - No response
- imestre.aduka.top - No response
- imestre.saltflowinc.top - No response
- imestre.moveoneinc.top - No response
- imestre.cheddarmcmelt.top - No response
- imestre.suzukiburgman.top - No response
- imestre.houselannister.top - response: 127.0.0.1
- xxxxxxxxxxx.localdomain - No response
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2016-09-21-boleto-malspam-infection-traffic.pcap.zip 1.4 MB (1,380,533 bytes)
- ZIP archive of the email and malware/artifacts: 2016-09-21-boleto-malspam-email-and-artifacts.zip 1.4 MB (1,398,504 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.