2017-06-16 - INFOSTEALER INFECTION FROM BRAZIL MALSPAM

NOTICE:

ASSOCIATED FILES:

  • 2017-06-16-traffic-from-link-in-PDF-attachment.pcap   (19,376 bytes)
  • 2017-06-16-Brazil-infostealer-full-infection.pcap   (3,974,698 bytes)
  • 16062017329800998812303133716062017.pdf   (46,862 bytes)
  • 1606201732980099881230313371606201722085.vbs   (2,724 bytes)
  • 2017-06-16-0830-UTC-Boleto-malspam.eml   (65,354 bytes)
  • 2017-06-16-Boleto-malspam-artifacts-information.csv   (1,820 bytes)
  • Ionic.Zip.Reduced.dll   (253,440 bytes)
  • JAGGER-PC.aes   (16 bytes)
  • JAGGER-PC.zip   (3,281,415 bytes)
  • JAGGER-PCx.ocx   (384 bytes)
  • SYSJAGGERPC53.xml   (3,366 bytes)
  • c.cer   (905 bytes)
  • crov.exe   (1,690,096 bytes)
  • dll.dll.exe   (396,480 bytes)
  • dzfftfff.0li.vbs   (114 bytes)
  • eddfxv0i.ptn.vbs   (130 bytes)
  • ps.exe   (452,608 bytes)

NOTES:

 

EMAIL


Shown above:  Screenshot of the email.

 

EMAIL HEADERS:

 

ATTACHMENT


Shown above:  PDF attachment has a different link than the email.

 


Shown above:  However, it redirects to the same bit[.]ly and gfonseca.sslblindado[.]com URLs as the link from the email.

 


Shown above:  The downloaded VBS file.

 

TRAFFIC


Shown above:  Traffic from link in the PDF file, filtered in Wireshark (stopped after grabbing the .vbs file).

 


Shown above:  Traffic from link in the email message text, filtered in Wireshark (full infection).

 

ASSOCIATED DOMAINS:

 

MALWARE

PDF ATTACHMENT:

DOWNLOADED VBS FILE:

 

IMAGES


Shown above:  Unecrypted IRC traffic noted on ssl.suzukiburgman[.]top (54.232.207[.]222 port 443).

 


Shown above:  Attempted TCP connections on 169.57.146[.]90 port 7094, but no response from the server.

 

Click here to return to the main page.