2017-03-22 - PORTUGUESE INVOICE MALSPAM
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-03-22-Portuguese-invoice-malspam-traffic.pcap.zip 8.9 MB (8,938,171 bytes)
- 2017-03-22-Portuguese-invoice-malspam-traffic.pcap (9,499,306 bytes)
- 2017-03-22-NF-e-malspam-0152-UTC.eml (2,235 bytes)
- 2017-03-22-NF-e-malspam-1404-UTC.eml (2,259 bytes)
- 2017-03-22-NF-e-malspam-1508-UTC.eml (2,257 bytes)
EMAILS
Shown above: An example of the emails.
SUBJECT LINES:
- Subject: NF-e Nacional - Serie 20 - Doc. N. 6-032017
- Subject: NF-e Nacional - Serie 12 - Doc. N. 19388-032017
- Subject: NF-e Nacional - Serie 20 - Doc. N. 61754-032017
TRAFFIC
Shown above: Pcap of the infection traffic filtered in Wireshark.
DOWNLOAD URLS FROM THE EMAILS:
- www.financeiro-doc.com.br/notafiscal/?pdf-douglassantos@detran.es.gov.br=0D
- www.financeiro-doc.com.br/notafiscal/?xml-douglassantos@detran.es.gov.br=0D
- www.docprintbrasil.com.br/nfe/?pdf-a-silva@bx.jp.nec.com=0D
- www.docprintbrasil.com.br/nfe/?xml-a-silva@bx.jp.nec.com=0D
- www.docprintbrasil.com.br/nfe/?pdf-andre.ffranco@uol.com.br=0D
- www.docprintbrasil.com.br/nfe/?xml-andre.ffranco@uol.com.br=0D
INFECTION ATTEMPT:
- 108.179.253.77 port 80 - www.docprintbrasil.com.br - GET /nfe/?xml-andre.ffranco@uol.com.br%0D
- 199.101.134.176 port 443 - dc720.4shared.com - GET /download/1eFIdS__ei?sbsr=c51[long string of characters] [HTTPS]
- 191.6.202.84 port 80 - www.selfstudy.com.br - GET /sempre/Unedrcovertoolz0.zip
- 177.12.161.30 port 80 - www.gumos.com.br - GET /sempre/notify.php
FILE HASHES
DOWNLOADED ZIP ARCHIVE FROM LINK IN THE EMAIL:
- SHA256 hash: 631a104bf3af15a447c19bf57a2144956c435037b0dcb035a27dbacddfdcb75b [ VirusTotal link ]
File name: NotaFiscal_22032017.zip
File size: 898,583 bytes
EXTRACTED MALWARE:
- SHA256: d1bef41cd683e345052aca32cc43941dd529f16994233de984a2941c82f992a2 [ Reverse.it link ]
File name: NotaFiscal_22032017- Completa.exe
File size: 1,929,728 bytes
FOLLOW-UP DOWNLOAD ON INFECTED HOST:
- SHA256: 545d75d3185890fd88fdbf055f5ab97c51f96c94741b9e05edd784de9d29c43d [ VirusTotal link ]
File name: C:\Users\[username]\AppData\Local\GamesAlok0\Unedrcovertoolz0.exe
File size: 120,688,640 bytes
IMAGES
Shown above: Malware from the link in the email.
Shown above: Malware seen on the infected host.
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-03-22-Portuguese-invoice-malspam-traffic.pcap.zip 8.9 MB (8,938,171 bytes)
- ZIP archive of the emails: 2017-03-22-Portuguese-invoice-malspam-examples.zip 3.9 kB (3,942 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.