2017-05-31 - MALSPAM - SUBJECT: RFQ-DOC
ASSOCIATED FILES:
- ZIP archive of the pcaps: 2017-05-31-malspam-traffic.pcap.zip 727 kB (726,614 bytes)
- 2017-05-31-malspam-traffic.pcap (862,006 bytes)
- ZIP archive of the malware: 2017-05-31-malspam-artifacts.zip 1.7 MB (1,692,958 bytes)
- RFQ-1.exe (885,760 bytes)
- RFQ-1.zip (845,938 bytes)
NOTES:
- Looks like we've got ourselves an information stealer, here.
- The malware appears to take screenshots, and it also logs user activity.
Shown above: Screenshot of the email.
EMAIL HEADERS:
Received: from [10.98.149.95] (unknown [197.210.25.103]);
by [removed]
Wed, 31 May 2017 14:40:21 +0300 (EEST)
Date: Thu, 01 Jun 2017 00:40:06 -0700
From: "Nayab Husain Rizvi" <info@elmechuae.com>
Subject: RFQ-Doc
MIME-Version: 1.0
TRAFFIC
Shown above: Pcap of the traffic filtered in Wireshark.
ASSOCIATED DOMAINS
- 216.158.235.250 port 80 - krabithailandproperty.trade - GET /wp-upload/file/RFQ-1.zip [link from the email to download the zip archive]
- 197.210.25.103 1604 - patrickcrouzet5.ddns.net - post-infection attempted TCP connections
- 190.123.44.138 port 1604 - post-infection attempted TCP connections
MALWARE
Shown above: ZIP archive and its contents.
DOWNLOADED ZIP FILE:
- SHA256 hash: 0789f957d8725decc8aad4fa572b696e542362d4b70353e2222fe20844f0f71b
- File size: 845,938 bytes
- File name: RFQ-1.zip
EXTRACTED MALWARE:
- SHA256 hash: 4b9b87441ef44b226d170b760103ff694a7374805e26202822250154d3206994
- File size: 885,760 bytes
- File name: RFQ-1.exe
IMAGES
Shown above: Malware made persitent on the infected host.
Shown above: Directories created to hold data stolen by the malware.
Shown above: Log of user activity from the infected host.
Shown above: Screenshots stored in some sort of encoded format on the infected host.
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcaps: 2017-05-31-malspam-traffic.pcap.zip 727 kB (726,614 bytes)
- ZIP archive of the malware: 2017-05-31-malspam-artifacts.zip 1.7 MB (1,692,958 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.