2017-09-04 - INFOSTEALER INFECTION FROM BRAZIL MALSPAM

NOTICE:

ASSOCIATED FILES:

  • 2017-09-04-Brazil-infostealer-infection-traffic.pcap   (10,319,541 bytes)
  • 2017-09-04-Brazil-malspam-1624-UTC.eml   (1,233 bytes)
  • 2017-09-04-scheduled-task-for-persistence.txt   (3,334 bytes)
  • BITCE84.tmp.exe   (1,513,064 bytes)
  • MD114244.exe   (5,485,568 bytes)
  • mosdhjkfi.cab   (3,976,749 bytes)
  • wcntiqav.exe   (881,152 bytes)

 

EMAIL

EMAIL INFORMATION:

  • Subject:  Crt: 386 / Oper: 2557 / Contrato: 5213706677228235 / Vcto: 31/08/2017 - BV 04/09/2017 13:24:06
  • Subject:  Crt: 386 / Oper: 2557 / Contrato: 5213706677228235 / Vcto: 31/08/2017 - BV 04/09/2017 13:21:24
  • Subject:  Crt: 386 / Oper: 2557 / Contrato: 5213706677228235 / Vcto: 31/08/2017 - BV 04/09/2017 13:18:25
  • Subject:  Crt: 386 / Oper: 2557 / Contrato: 5213706677228235 / Vcto: 31/08/2017 - BV 04/09/2017 13:17:09
  • Subject:  Crt: 386 / Oper: 2557 / Contrato: 5213706677228235 / Vcto: 31/08/2017 - BV 04/09/2017 12:52:00
  • Subject:  Crt: 386 / Oper: 2557 / Contrato: 5213706677228235 / Vcto: 31/08/2017 - BV 04/09/2017 13:01:33
  • Subject:  Crt: 386 / Oper: 2557 / Contrato: 5213706677228235 / Vcto: 31/08/2017 - BV 04/09/2017 12:55:25
  • Subject:  Crt: 386 / Oper: 2557 / Contrato: 5213706677228235 / Vcto: 31/08/2017 - BV 04/09/2017 12:47:04
  • Subject:  Crt: 386 / Oper: 2557 / Contrato: 5213706677228235 / Vcto: 31/08/2017 - BV 04/09/2017 12:38:44
  • Subject:  Crt: 386 / Oper: 2557 / Contrato: 5213706677228235 / Vcto: 31/08/2017 - BV 04/09/2017 12:19:00
  • Subject:  Crt: 386 / Oper: 2557 / Contrato: 5213706677228235 / Vcto: 31/08/2017 - BV 04/09/2017 12:18:31
  • Subject:  Crt: 386 / Oper: 2557 / Contrato: 5213706677228235 / Vcto: 31/08/2017 - BV 04/09/2017 12:17:59
  • Subject:  Crt: 386 / Oper: 2557 / Contrato: 5213706677228235 / Vcto: 31/08/2017 - BV 04/09/2017 12:17:39
  • Subject:  Crt: 386 / Oper: 2557 / Contrato: 5213706677228235 / Vcto: 31/08/2017 - BV 04/09/2017 12:16:06
  • Subject:  Crt: 386 / Oper: 2557 / Contrato: 5213706677228235 / Vcto: 31/08/2017 - BV 04/09/2017 12:15:26
  • Subject:  Crt: 386 / Oper: 2557 / Contrato: 5213706677228235 / Vcto: 31/08/2017 - BV 04/09/2017 12:14:05

 

MESSAGE TEXT:

Bom Dia/ Boa Tarde

Segue em anexo a solicitação do boleto referente ao Banco Votorantim na data vigente, aguardamos o envio do comprovante a partir deste e-mail ou pelo nosso Whatsapp (11)97154-8482 .

Crt: 386 / Oper: 10514 / Contrato: 5213706677228235

Atenciosamente,

Contact Center . Crédito . Cobrança Anne Matos Backoffice 0800 770 2482 / (11) 2739 – 3007 / Whatsapp (11) 97154-8482

Email: anne.matos@flexcontact[.]com[.]br

 

GOOGLE TRANSLATION OF MESSAGE TEXT:

Good day/good afternoon

Attached is the request of the ticket for Banco Votorantim on the current date, we await the sending of the receipt from this e-mail or our Whatsapp (11) 97154-8482.

Crt: 386 / Oper: 10514 / Contract: 5213706677228235

Regards,

Contact Center. Credit . Collection Anne Matos Backoffice 0800 770 2482 / (11) 2739 - 3007 / Whatsapp (11) 97154-8482

Email: anne.matos@flexcontact[.]com[.]br

 


Shown above:  Screenshot from the email.

 


Shown above:  Malicious zip archive from link in the malspam.

 

TRAFFIC


Shown above:  Pcap of the infection traffic filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

ZIP ARCHIVE AFTER CLICKING LINK FROM THE EMAIL:

EXTRACTED BINARY FROM ZIP ARCHIVE:

FOLLOW-UP MALWARE (1 OF 4):

FOLLOW-UP MALWARE (2 OF 4):

FOLLOW-UP MALWARE (3 OF 4):

FOLLOW-UP MALWARE (4 OF 4):

 

IMAGES


Shown above:  Malware persistent on the infected host.

 

Click here to return to the main page.