2017-05-31 - MALSPAM - SUBJECT: RFQ-DOC

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2017-05-31-malspam-traffic.pcap.zip   727 kB (726,614 bytes)

• 2017-05-31-malspam-traffic.pcap   (862,006 bytes)

• ZIP archive of the malware:  2017-05-31-malspam-artifacts.zip   1.7 MB (1,692,958 bytes)

• RFQ-1.exe   (885,760 bytes)
• RFQ-1.zip   (845,938 bytes)

NOTES:

• Looks like we've got ourselves an information stealer, here.
• The malware appears to take screenshots, and it also logs user activity.

 

EMAIL

Shown above:  Screenshot of the email.

 

EMAIL HEADERS:

Received: from [10.98.149.95] (unknown [197.210.25.103]);
        by [removed]
        Wed, 31 May 2017 14:40:21 +0300 (EEST)
Date: Thu, 01 Jun 2017 00:40:06 -0700
From: "Nayab Husain Rizvi" <info@elmechuae.com>
Subject: RFQ-Doc
MIME-Version: 1.0

 

TRAFFIC

Shown above:  Pcap of the traffic filtered in Wireshark.

 

ASSOCIATED DOMAINS

• 216.158.235.250 port 80 - krabithailandproperty.trade - GET /wp-upload/file/RFQ-1.zip   [link from the email to download the zip archive]
• 197.210.25.103 1604 - patrickcrouzet5.ddns.net - post-infection attempted TCP connections
• 190.123.44.138 port 1604 - post-infection attempted TCP connections

 

MALWARE

Shown above:  ZIP archive and its contents.

 

DOWNLOADED ZIP FILE:

• SHA256 hash:  0789f957d8725decc8aad4fa572b696e542362d4b70353e2222fe20844f0f71b
• File size:  845,938 bytes
• File name:  RFQ-1.zip

EXTRACTED MALWARE:

• SHA256 hash:  4b9b87441ef44b226d170b760103ff694a7374805e26202822250154d3206994
• File size:  885,760 bytes
• File name:  RFQ-1.exe

 

IMAGES

Shown above:  Malware made persitent on the infected host.

 

Shown above:  Directories created to hold data stolen by the malware.

 

Shown above:  Log of user activity from the infected host.

 

Shown above:  Screenshots stored in some sort of encoded format on the infected host.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2017-05-31-malspam-traffic.pcap.zip   727 kB (726,614 bytes)
• ZIP archive of the malware:  2017-05-31-malspam-artifacts.zip   1.7 MB (1,692,958 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.