2017-03-22 - PORTUGUESE INVOICE MALSPAM

ASSOCIATED FILES:

• ZIP archive of the pcap:  2017-03-22-Portuguese-invoice-malspam-traffic.pcap.zip   8.9 MB (8,938,171 bytes)

• 2017-03-22-Portuguese-invoice-malspam-traffic.pcap   (9,499,306 bytes)

ZIP archive of the emails:  2017-03-22-Portuguese-invoice-malspam-examples.zip   3.9 kB (3,942 bytes)

• 2017-03-22-NF-e-malspam-0152-UTC.eml   (2,235 bytes)
• 2017-03-22-NF-e-malspam-1404-UTC.eml   (2,259 bytes)
• 2017-03-22-NF-e-malspam-1508-UTC.eml   (2,257 bytes)

 

EMAILS

Shown above:  An example of the emails.

 

SUBJECT LINES:

• Subject:  NF-e Nacional - Serie 20 - Doc. N. 6-032017
• Subject:  NF-e Nacional - Serie 12 - Doc. N. 19388-032017
• Subject:  NF-e Nacional - Serie 20 - Doc. N. 61754-032017

 

TRAFFIC

Shown above:  Pcap of the infection traffic filtered in Wireshark.

 

DOWNLOAD URLS FROM THE EMAILS:

• www.financeiro-doc.com.br/notafiscal/?pdf-douglassantos@detran.es.gov.br=0D
• www.financeiro-doc.com.br/notafiscal/?xml-douglassantos@detran.es.gov.br=0D
• www.docprintbrasil.com.br/nfe/?pdf-a-silva@bx.jp.nec.com=0D
• www.docprintbrasil.com.br/nfe/?xml-a-silva@bx.jp.nec.com=0D
• www.docprintbrasil.com.br/nfe/?pdf-andre.ffranco@uol.com.br=0D
• www.docprintbrasil.com.br/nfe/?xml-andre.ffranco@uol.com.br=0D

INFECTION ATTEMPT:

• 108.179.253.77 port 80 - www.docprintbrasil.com.br - GET /nfe/?xml-andre.ffranco@uol.com.br%0D
• 199.101.134.176 port 443 - dc720.4shared.com - GET /download/1eFIdS__ei?sbsr=c51[long string of characters]   [HTTPS]
• 191.6.202.84 port 80 - www.selfstudy.com.br - GET /sempre/Unedrcovertoolz0.zip
• 177.12.161.30 port 80 - www.gumos.com.br - GET /sempre/notify.php

 

FILE HASHES

DOWNLOADED ZIP ARCHIVE FROM LINK IN THE EMAIL:

• SHA256 hash:  631a104bf3af15a447c19bf57a2144956c435037b0dcb035a27dbacddfdcb75b   [ VirusTotal link ]
  File name:  NotaFiscal_22032017.zip
  File size:  898,583 bytes

EXTRACTED MALWARE:

• SHA256:  d1bef41cd683e345052aca32cc43941dd529f16994233de984a2941c82f992a2   [ Reverse.it link ]
  File name:  NotaFiscal_22032017- Completa.exe
  File size:  1,929,728 bytes

FOLLOW-UP DOWNLOAD ON INFECTED HOST:

• SHA256:  545d75d3185890fd88fdbf055f5ab97c51f96c94741b9e05edd784de9d29c43d   [ VirusTotal link ]
  File name:  C:\Users\[username]\AppData\Local\GamesAlok0\Unedrcovertoolz0.exe
  File size:  120,688,640 bytes

 

IMAGES

Shown above:  Malware from the link in the email.

 

Shown above:  Malware seen on the infected host.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2017-03-22-Portuguese-invoice-malspam-traffic.pcap.zip   8.9 MB (8,938,171 bytes)
• ZIP archive of the emails:  2017-03-22-Portuguese-invoice-malspam-examples.zip   3.9 kB (3,942 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.