2017-07-12 - INFOSTEALER INFECTION FROM BRAZIL MALSPAM

NOTICE:

ASSOCIATED FILES:

  • 2017-07-12-Infostealer-infection-from-Brazil-malspam.pcap   (7,857,287 bytes)
  • 2017-07-12-Boleto-malspam-1555-UTC.eml   (681 bytes)
  • HInteW.exe   (1,011,200 bytes)
  • Imprimir_Via2.com   (2,990,080 bytes)
  • Imprimir_Via2.zip   (1,077,419 bytes)
  • Struct.dll   (5,004,288 bytes)
  • hP0EFY6CTgqU60MWLaSZFQ.png   (35,932 bytes)
  • oct.dll   (21 bytes)
  • readme.txt   (613 bytes)

 

EMAIL

EMAIL HEADER INFO:

 


Shown above:  Screenshot from the email.

 


Shown above:  Malicious zip archive and extracted binary after clicking link from the malspam.

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS AND URLS:

 

FILE HASHES

ZIP ARCHIVE AFTER CLICKING LINK FROM THE EMAIL:

EXTRACTED BINARY FROM ZIP ARCHIVE:

MALWARE RETRIEVED FROM THE INFECTED HOST:

 

IMAGES


Shown above:  Artifacts left on the infected host.

 


Shown above:  oct.dll is a very small text file.

 

Click here to return to the main page.