2017-07-12 - BRAZIL MALSPAM - SUBJECT: ULTIMO AVISO DA 2a VIA BOLETO EM ATRASO
ASSOCIATED FILES:
- Zip archive of the pcap: 2017-07-12-Brazil-boleto-malspam-traffic.pcap.zip 7.4 MB (7,411,675 bytes)
- 2017-07-12-Brazil-boleto-malspam-traffic.pcap (7,857,287 bytes)
- Zip archive of the malware: 2017-07-12-Brazil-boleto-malspam-and-artifacts.zip 5.6 MB (5,572,879 bytes)
- 2017-07-12-malspam-1555-UTC.eml (681 bytes)
- HInteW.exe (1,011,200 bytes)
- Imprimir_Via2.com (2,990,080 bytes)
- Imprimir_Via2.zip (1,077,419 bytes)
- Struct.dll (5,004,288 bytes)
- hP0EFY6CTgqU60MWLaSZFQ.png (35,932 bytes)
- oct.dll (21 bytes)
- readme.txt (613 bytes)
EMAIL HEADER INFO:
- Date: Wednesday 2017-07-12 at 15:55 UTC
- From: Adrianna Financeiro
- Subject: Ultimo aviso da 2a via boleto em Atraso
- Google translation of subject: Last notice of the 2nd via ticket in arrears
Shown above: Screenshot from the email.
Shown above: Malicious zip archive and extracted binary after clicking link from the malspam.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
ASSOCIATED DOMAINS AND URLS:
- port 80 (HTTP) - bit.ly - GET /2uRm3xq
- 149.56.79.213 port 80 - via2.downatual.online - GET /via/
- port 443 (HTTPS) - sites.google.com - GET /site/viaboletosxxx/Imprimir_Via2.zip?attredirects=0&d=1
- port 443 (HTTPS) - cf6a44b9-a-62cb3a1a-s-sites.googlegroups.com - GET /site/viaboletosxxx/Imprimir_Via2.zip?attachauth=[long string]
- 149.56.79.213 port 80 - autenticalives.com - GET /readme.txt
- port 443 (HTTPS) - 632494d4-a-62cb3a1a-s-sites.googlegroups.com - GET /site/texasturser/1.png?attachauth=[long string]
- port 443 (HTTPS) - 632494d4-a-62cb3a1a-s-sites.googlegroups.com - GET /site/texasturser/f.png?attachauth=[long string]
- 149.56.79.213 port 80 - www.autenticalives.com - POST /a.php
FILE HASHES
ZIP ARCHIVE AFTER CLICKING LINK FROM THE EMAIL:
- SHA256 hash: ac8c40cfe6a75eba981e39cd6f2d9176be6df2f785e9a746b1d6cf99ef91b7c2
File name: Imprimir_Via2.zip
File size: 1,077,419 bytes
EXTRACTED BINARY FROM ZIP ARCHIVE:
- SHA256 hash: 616026d9bbd86d5672cfd1c664b6eb526bd79a3a3be719f9e54ac77041840e6f
File name: Imprimir_Via2.com
File size: 2,990,080 bytes
MALWARE RETRIEVED FROM THE INFECTED HOST:
- SHA256 hash: b14dab1d50ed578ca75c3f352de5fc5a943514b2757aca2640c122097248339b
File location: C:\Users\[username]\AppData\HInteW.exe
File size: 1,011,200 bytes
- SHA256 hash: 100194e632ce71835bcbb48ed63ab422b3b2ae889239a0afb59b12327de578e9
File location: C:\Users\[username]\AppData\Struct.dll
File size: 5,004,288 bytes
IMAGES
Shown above: Artifacts left on the infected host.
Shown above: oct.dll is a very small text file.
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the pcap: 2017-07-12-Brazil-boleto-malspam-traffic.pcap.zip 7.4 MB (7,411,675 bytes)
- Zip archive of the malware: 2017-07-12-Brazil-boleto-malspam-and-artifacts.zip 5.6 MB (5,572,879 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.