2017-09-14 - POSSIBLE COINBIT MALWARE
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2017-09-14-possible-Coinbit-malware-traffic-2-pcaps.zip 76.7 kB (76,701 bytes)
- 2017-09-14-traffic-from-1st-sample.pcap (1,445 bytes)
- 2017-09-14-traffic-from-3rd-sample.pcap (82,799 bytes)
- 2017-09-14-possible-Coinbit-email-tracker.csv.zip 1.5 kB (1,508 bytes)
- 2017-09-14-possible-Coinbit-email-tracker.csv (5,256 bytes)
- 2017-09-14-possible-Coinbit-emails-and-malware.zip 121.1 kB (121,077 bytes)
- 2017-09-14-1st-sample.exe (36,864 bytes)
- 2017-09-14-2nd-sample.exe (41,472 bytes)
- 2017-09-14-3rd-sample.exe (27,648 bytes)
- 2017-09-14-follow-up-malware-from-3rd-sample.exe (75,264 bytes)
- Fake-Microsoft-emails-on-2017-09-11-thru-09-13.txt (27,613 bytes)
NOTES:
- Who sends .exe attachments with malspam any more?
- This is possibly a malware called "coinbit" that got some press in 2011 (here is an example).
- If this is Coinbit, it is a much older malware, and it didn't work well in lab environment.
- For example, the 1st sample required MSWINSCK.OCX which is an older file from pre-WindowsXP days.
- The 1st sample also crashed if it didn't find a bitcoin wallet file named wallet.dat, so I had to create a fake one. (See traffic images below for details.)
- I was unable to generate any network traffic from the 2nd sample.
- Follow-up malware downloaded by the 3rd sample crashed.
EMAILS
Shown above: Screenshot from the spreadsheet tracker.
Shown above: Screenshot from an email on 2017-09-13.
EMAILS NOTED:
- READ: Date/time -- Subject line -- attachment name
- 2017-09-10 10:42 UTC -- Subject: Important Microsoft Update 2017. Install it now -- Attachment: Microsoft_Update2017.exe
- 2017-09-11 15:23 UTC -- Subject: Free Microsoft Update for Windows 7/8/10. -- Attachment: 2gs07a1.exe
- 2017-09-11 16:03 UTC -- Subject: Free Microsoft Update for Windows 7/8/10. -- Attachment: tqyty.exe
- 2017-09-11 18:35 UTC -- Subject: Free Microsoft Update for Windows 7/8/10. -- Attachment: s74qjb.exe
- 2017-09-11 22:32 UTC -- Subject: Free Microsoft Update for Windows 7/8/10. -- Attachment: whxj6e.exe
- 2017-09-12 03:10 UTC -- Subject: Free Microsoft Update for Windows 7/8/10. -- Attachment: v8jeft2.exe
- 2017-09-12 07:44 UTC -- Subject: Free Microsoft Update for Windows 7/8/10. -- Attachment: sixmiz1.exe
- 2017-09-12 07:45 UTC -- Subject: Free Microsoft Update for Windows 7/8/10. -- Attachment: 7h3k251.exe
- 2017-09-12 13:24 UTC -- Subject: Free Microsoft Update for Windows 7/8/10. -- Attachment: dv4r691r.exe
- 2017-09-12 13:30 UTC -- Subject: Free Microsoft Update for Windows 7/8/10. -- Attachment: ap5h5v.exe
- 2017-09-12 13:44 UTC -- Subject: Free Microsoft Update for Windows 7/8/10. -- Attachment: 3is5wv2.exe
- 2017-09-12 13:45 UTC -- Subject: Free Microsoft Update for Windows 7/8/10. -- Attachment: wd1ls729.exe
- 2017-09-12 18:44 UTC -- Subject: Free Microsoft Update for Windows 7/8/10. -- Attachment: 70n2mx3d.exe
- 2017-09-12 21:32 UTC -- Subject: Free Microsoft Update for Windows 7/8/10. -- Attachment: cv2yn52z.exe
- 2017-09-13 16:45 UTC -- Subject: Install The Microsoft Update before its too late! -- Attachment: 3aum4j3.exe
- 2017-09-13 17:06 UTC -- Subject: Install The Microsoft Update before its too late! -- Attachment: 97ai7q1.exe
- 2017-09-13 18:43 UTC -- Subject: Install The Microsoft Update before its too late! -- Attachment: mwe8jb2s.exe
- 2017-09-13 18:45 UTC -- Subject: Install The Microsoft Update before its too late! -- Attachment: 0x8sn.exe
- 2017-09-13 18:46 UTC -- Subject: Install The Microsoft Update before its too late! -- Attachment: vzgtw.exe
- 2017-09-13 18:47 UTC -- Subject: Install The Microsoft Update before its too late! -- Attachment: hcb1kt6j.exe
- 2017-09-13 18:57 UTC -- Subject: Install The Microsoft Update before its too late! -- Attachment: bcc3d21w.exe
- 2017-09-13 19:00 UTC -- Subject: Install The Microsoft Update before its too late! -- Attachment: ql1pix2w.exe
- 2017-09-13 21:00 UTC -- Subject: Install The Microsoft Update before its too late! -- Attachment: 9qel8cf.exe
- 2017-09-13 21:03 UTC -- Subject: Install The Microsoft Update before its too late! -- Attachment: 5cypsk1.exe
- 2017-09-13 21:07 UTC -- Subject: Install The Microsoft Update before its too late! -- Attachment: k6tet82.exe
- 2017-09-13 21:10 UTC -- Subject: Install The Microsoft Update before its too late! -- Attachment: zclt52.exe
- 2017-09-13 21:15 UTC -- Subject: Install The Microsoft Update before its too late! -- Attachment: sxuhop.exe
TRAFFIC
Shown above: Traffic from the 1st example of the malspam attachments.
Shown above: Traffic from the 3rd example of the malspam attachments.
ASSOCIATED URLS:
- hxxp[:]//80.208.230[.]159/bitcoin.php? (caused by the 1st sample)
- hxxp[:]//80.208.230[.]159/windowsupdate.exe (caused by the 3rd sample)
ASSOCIATED MALWARE
ATTACHED EXE FILE, 1ST SAMPLE:
- SHA256 hash: f7c1a5f0d4aff56c06906325d318c25be2bde84b3762d30133c05c9ae2ecb125
File size: 36,864 bytes
File description: Possible Coinbit malware
ATTACHED EXE FILE, 2ND SAMPLE:
- SHA256 hash: 5c5c242d06914c6a4b991bca68d0007edffa5322f7b9c08803cec82515d7fc35
File size: 41,472 bytes
File description: Unknown malware (could not generate any traffic from this one)
ATTACHED EXE FILE, 3RD SAMPLE:
- SHA256 hash: ae84ec7474428a2abbb09a927e2702f8ee4dea3b46b4218dde9528e5737764b6
File size: 27,648 bytes
File description: File downloader
FOLLOW-UP MALWARE:
- SHA256 hash: 3c2843e28d1f28cb643627417a8902771f24ffbb23e22ae73c2761a5710e6286
File size: 75,264 bytes
File location: hxxp[:]//80.208.230[.]159/windowsupdate.exe
File location: C:\Users\[username]\AppData\Local\Temp\bSgKeKuKlIvOvU.exe
File description: Follow-up malware downloaded by 3rd sample, possible Coinbit malware
Click here to return to the main page.