2017-06-08 - INFOSTEALER INFECTION FROM BRAZIL MALSPAM

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-06-08-Brazil-infostealer-infection-traffic.pcap.zip   8.7 MB (8,705,420 bytes)

• 2017-06-08-Brazil-infostealer-infection-traffic.pcap   (9,261,121 bytes)

• 2017-06-08-Brazil-email-and-infostealer-malware.zip   10.8 MB (10,790,408 bytes)

• 2017-06-07-Brazil-malspam-1740-UTC.eml   (2,148 bytes)
• 63466336034690346.etwe   (9,660,419 bytes)
• Iptu-_-2017.zip   (1,126,288 bytes)

 

EMAILS

Shown above:  Screen shot from one of the emails.

 

EMAIL HEADERS:

• Date:  Wednesday 2017-06-07 at 17:40 UTC
• Sending mail server:  lasvegas-nv-datacenter.serverpoint[.]com (216.108.237[.]107)
• Message ID header:  <20170607174004.32A9C2C74A0@lasvegas-nv-datacenter.serverpoint[.]com>
• Sending address:  [spoofed: recipient's email address]
• Subject:  FWD: Notificacao IPTU {2017}  (65628)

 

INITIAL MALWARE

Shown above:  Clicking link from the email redirects to a Dropbox URL for a zip archive.

 

Shown above:  Contents of the zip archive.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

Shown above:  Some of the post-infection traffic.

 

ASSOCIATED DOMAINS AND URLS:

• goo[.]gl - GET /ouqxbP     [HTTPS traffic]
• storage.googleapis[.]com - GET /contribuinte/2via.html     [HTTPS traffic]
• 217.182.84[.]120 port 80 - prefeitura[.]gov[.]br.impostocontribuinte[.]com - GET /Contribuinte/
• www.dropbox[.]com - GET /s/fe62ltwktduo2dg/Iptu-_-2017.zip?dl=1     [HTTPS URL for initial malware]
• www.sendspace[.]com - unknown URL     [HTTPS traffic]
• fs09n2.sendspace[.]com - unknown URL     [HTTPS traffic for follow-up malware]
• 177.12.174[.]101 port 80 - cthrp[.]com[.]br - callback traffic/check-in
• 191.252.101[.]74 port 80 - www.horariodebrasilia[.]org - GET /     [connectivity check?]
• 177.54.146[.]52 port 6761 - hinv8cwfrkp.ddns[.]net - callback traffic, not encrypted

 

FILE HASHES

ZIP ARCHIVE AFTER CLICKING LINK FROM THE EMAIL:

• SHA256 hash:  fd345c6cc9bbb17c8852f6fcdf9e9561d2d676c21abc1e4aec51b3d1c5a337e5
  File size:  1,126,288 bytes
  File name:  Iptu-_-2017.zip

FILE EXTRACTED FROM THE ZIP ARCHIVE:

• SHA256 hash:  bb38ee84fa3be8a1690e1a16420d0580abc3704b987065ec14e601c22e62c4f4
  File size:  1,126,288 bytes
  File name:  Iptu-_-2017.exe

MALWARE RETRIEVED FROM THE INFECTED HOST:

• SHA256 hash:  b4b6210013bd25880e31f5300cc51f2e99c2e7cfb5b13438d419b35fd744a888
  File size:  9,660,419 bytes
  File location:  C:\Users\[username]\AppData\Local\temps2d4a\63466336034690346.etwe
  File description:  Zip archive - deleted after files are extracted

Shown above:  Zip archive downloaded during the infection.

 

• SHA256 hash:  d4cbf49c16febf85c3e5ef7b8d496f0be15989bbf8e54e1e25c4335d2e95ad9b
  File size:  411,418,624 bytes
  File location:  C:\Users\[username]\AppData\Local\temps2d4a\NGtoolzXamp0.exe

Shown above:  Files noted on the infected host.

 

Click here to return to the main page.