2017-09-15 - MORE POSSIBLE COINBIT MALWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-09-15-possible-Coinbit-infection-traffic.pcap.zip   10.8 kB (10,767 bytes)

• 2017-09-15-possible-Coinbit-infection-traffic.pcap   (36,370 bytes)

• 2017-09-15-possible-Coinbit-email-tracker.csv.zip   1.1 kB (1,109 bytes)

• 2017-09-15-possible-Coinbit-email-tracker.csv   (3,729 bytes)

• 2017-09-15-possible-Coinbit-email-example-and-malware.zip   45.4 kB (45,419 bytes)

• 2017-09-15-fake-Microsoft-update-malspam-example.eml   (38,278 bytes)
• 2017-09-15-file-downloader.exe   (27,648 bytes)
• 2017-09-15-follow-up-malware-possibly-Coinbit.exe   (36,864 bytes)

NOTES:

• Same issues as seen in my post about this malware from yesterday (link).
• This is possibly a malware called "coinbit" that got some press in 2011 (here is an example).
• If this is Coinbit, it is a much older malware, and it didn't work well in lab environment.
• I had to run today's EXE attachment as an administrator for it to work.
• Follow-up malware is the same bitcoin wallet stealer, slightly adjusted, but with the same problems as before (needs MSWINSCK.OCX, will crash if no Bitcoin wallet is present).

 

EMAILS

Shown above:  Screenshot from the spreadsheet tracker.

 

Shown above:  Screenshot from an email on 2017-09-15.

 

EMAILS NOTED:

Read:  Date/time -- Sending IP address -- Sending email address (spoofed) -- Subject line -- attachment name

• 2017-09-14 12:18 UTC   --   190.141.70[.]7   --   clandon@pac.bluecross[.]ca   --   Install The Microsoft Update before its too late!   --   z5wz1.exe
• 2017-09-14 13:14 UTC   --   190.109.167[.]106   --   cking1989@gamail[.]com   --   Install The Microsoft Update before its too late!   --   8knqzj3.exe
• 2017-09-14 13:18 UTC   --   190.117.86[.]192   --   clebsondonald@hitmail[.]com   --   Install The Microsoft Update before its too late!   --   st5javq7.exe
• 2017-09-14 14:29 UTC   --   190.107.22[.]27   --   ckr02-co@ezweb[.]ne[.]jp   --   Install The Microsoft Update before its too late!   --   vl2rdb21.exe
• 2017-09-14 14:31 UTC   --   190.238.71[.]65   --   claudia.ortner@gpo[.]at   --   Install The Microsoft Update before its too late!   --   tdz2arv.exe
• 2017-09-14 15:30 UTC   --   190.130.0[.]131   --   clandon@pac.bluecross[.]ca   --   Install The Microsoft Update before its too late!   --   la20vp.exe
• 2017-09-14 15:50 UTC   --   190.67.121[.]130   --   claudio22@hoail[.]com   --   Install The Microsoft Update before its too late!   --   sc15611.exe
• 2017-09-14 16:41 UTC   --   190.216.224[.]66   --   cko9o45923844@ezweb[.]ne[.]jp   --   Install The Microsoft Update before its too late!   --   l55ffs.exe
• 2017-09-14 16:42 UTC   --   190.121.193[.]206   --   claudio.serventi@rolli[.]it   --   Install The Microsoft Update before its too late!   --   6invcj2t.exe
• 2017-09-14 16:44 UTC   --   190.130.0[.]143   --   clacloteco@throam[.]com   --   Install The Microsoft Update before its too late!   --   65o5442i.exe
• 2017-09-14 16:56 UTC   --   190.236.63[.]120   --   clacrukodr@throam[.]com   --   Install The Microsoft Update before its too late!   --   4lx37.exe
• 2017-09-15 12:30 UTC   --   190.184.205[.]78   --   clarence.turer@kp[.]org   --   Install The Microsoft Update before its too late!   --   lo7nt7s.exe
• 2017-09-15 12:38 UTC   --   190.184.205[.]78   --   claudia.mx.nl@outloox[.]com   --   Install The Microsoft Update before its too late!   --   05rln92.exe
• 2017-09-15 12:47 UTC   --   190.109.185[.]113   --   ckc1029@chukei[.]com[.]tw   --   Install The Microsoft Update before its too late!   --   ibas0.exe
• 2017-09-15 13:04 UTC   --   190.115.2[.]118   --   claire.smaller@nhs[.]net   --   Install The Microsoft Update before its too late!   --   qc9wy.exe
• 2017-09-15 15:46 UTC   --   190.232.206[.]7   --   clairtonrezende10@hotmal[.]com[.]br   --   Install The Microsoft Update before its too late!   --   5ch3cx3n.exe
• 2017-09-15 19:36 UTC   --   190.130.0[.]139   --   claudiosette@excite[.]it   --   Install The Microsoft Update before its too late!   --   knqdpc3h.exe
• 2017-09-15 19:43 UTC   --   190.130.0[.]131   --   clark.smith@awc-inc[.]com   --   Install The Microsoft Update before its too late!   --   03jzhz3.exe
• 2017-09-15 19:46 UTC   --   190.0.12[.]58   --   claro@ownit[.]nu   --   Install The Microsoft Update before its too late!   --   o3y1xf2j.exe

 

TRAFFIC

Shown above:  Attachment from the email has to be run as an administrator, then it will act as a file downloader.

 

Shown above:  Follow-up malware needs MSWINSCK.OCX and a bitcoin wallet at a specific location on the infected host.

 

ASSOCIATED URLS:

• 80.208.230[.]159 port 80 - 80.208.230[.]159 - GET /loader.exe
• 80.208.230[.]159 port 80 - 80.208.230[.]159 - POST /google/google.php?

 

ASSOCIATED MALWARE

ATTACHED EXE FILE:

• SHA256 hash:  824351601841da66af1164881b39c7b4d245743aa5b0c77d9e975d1967ee4c30
  File size:  27,648 bytes
  File description:  file downloader

FOLLOW-UP MALWARE:

• SHA256 hash:  80a3f8b6d58846fdc4c0f08da7eef418e895c57f4f2b524d3bf806c2d4353779
  File size:  36,864 bytes
  File description:  possible Coinbit

 

Click here to return to the main page.