2017-07-12 - BRAZIL MALSPAM - SUBJECT: ULTIMO AVISO DA 2^a VIA BOLETO EM ATRASO

ASSOCIATED FILES:

• Zip archive of the pcap:  2017-07-12-Brazil-boleto-malspam-traffic.pcap.zip   7.4 MB (7,411,675 bytes)

• 2017-07-12-Brazil-boleto-malspam-traffic.pcap   (7,857,287 bytes)

• Zip archive of the malware:  2017-07-12-Brazil-boleto-malspam-and-artifacts.zip   5.6 MB (5,572,879 bytes)

• 2017-07-12-malspam-1555-UTC.eml   (681 bytes)
• HInteW.exe   (1,011,200 bytes)
• Imprimir_Via2.com   (2,990,080 bytes)
• Imprimir_Via2.zip   (1,077,419 bytes)
• Struct.dll   (5,004,288 bytes)
• hP0EFY6CTgqU60MWLaSZFQ.png   (35,932 bytes)
• oct.dll   (21 bytes)
• readme.txt   (613 bytes)

 

EMAIL

EMAIL HEADER INFO:

• Date:  Wednesday 2017-07-12 at 15:55 UTC
• From:  Adrianna Financeiro
• Subject:  Ultimo aviso da 2^a via boleto em Atraso
• Google translation of subject:  Last notice of the 2nd via ticket in arrears

 

Shown above:  Screenshot from the email.

 

Shown above:  Malicious zip archive and extracted binary after clicking link from the malspam.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS AND URLS:

• port 80 (HTTP) - bit.ly - GET /2uRm3xq
• 149.56.79.213 port 80 - via2.downatual.online - GET /via/
• port 443 (HTTPS) - sites.google.com - GET /site/viaboletosxxx/Imprimir_Via2.zip?attredirects=0&d=1
• port 443 (HTTPS) - cf6a44b9-a-62cb3a1a-s-sites.googlegroups.com - GET /site/viaboletosxxx/Imprimir_Via2.zip?attachauth=[long string]
• 149.56.79.213 port 80 - autenticalives.com - GET /readme.txt
• port 443 (HTTPS) - 632494d4-a-62cb3a1a-s-sites.googlegroups.com - GET /site/texasturser/1.png?attachauth=[long string]
• port 443 (HTTPS) - 632494d4-a-62cb3a1a-s-sites.googlegroups.com - GET /site/texasturser/f.png?attachauth=[long string]
• 149.56.79.213 port 80 - www.autenticalives.com - POST /a.php

 

FILE HASHES

ZIP ARCHIVE AFTER CLICKING LINK FROM THE EMAIL:

• SHA256 hash:  ac8c40cfe6a75eba981e39cd6f2d9176be6df2f785e9a746b1d6cf99ef91b7c2
  File name:  Imprimir_Via2.zip
  File size:  1,077,419 bytes

EXTRACTED BINARY FROM ZIP ARCHIVE:

• SHA256 hash:  616026d9bbd86d5672cfd1c664b6eb526bd79a3a3be719f9e54ac77041840e6f
  File name:  Imprimir_Via2.com
  File size:  2,990,080 bytes

MALWARE RETRIEVED FROM THE INFECTED HOST:

• SHA256 hash:  b14dab1d50ed578ca75c3f352de5fc5a943514b2757aca2640c122097248339b
  File location:  C:\Users\[username]\AppData\HInteW.exe
  File size:  1,011,200 bytes

• SHA256 hash:  100194e632ce71835bcbb48ed63ab422b3b2ae889239a0afb59b12327de578e9
  File location:  C:\Users\[username]\AppData\Struct.dll
  File size:  5,004,288 bytes

 

IMAGES

Shown above:  Artifacts left on the infected host.

 

Shown above:  oct.dll is a very small text file.

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the pcap:  2017-07-12-Brazil-boleto-malspam-traffic.pcap.zip   7.4 MB (7,411,675 bytes)
• Zip archive of the malware:  2017-07-12-Brazil-boleto-malspam-and-artifacts.zip   5.6 MB (5,572,879 bytes)

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.