2017-12-29 - RESUME-THEMED MALSPAM PUSHING DREAMBOT BANKING TROJAN
ASSOCIATED FILES:
- Zip archive of the pcap: 2017-12-29-traffic-from-malspam-pushing-Dreambot.pcap.zip 18.5 MB (18,457,139 bytes)
- 2017-12-29-traffic-from-malspam-pushing-Dreambot.pcap (20,485,768 bytes)
- Zip archive of the email and malware: 2017-12-29-malspam-pushing-Dreambot-email-and-malware.zip 651 kB (650,891 bytes)
- 2017-12-29-malspam-pushing-Dreambot-1444-UTC.eml (4,889 bytes)
- CV-Pettegrew.jse (2,169 bytes)
- Greg resume.zip (1,154 bytes)
- devmprov.exe (1,392,128 bytes)
NOTES:
- This malware appears to be Dreambot, which is a variant of Ursnif (also known as Gozi ISFB).
- Post-infection domains and URL patterns match Dreambot traffic I documented earlier this year on 2017-06-15 and 2017-06-16.
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domains and URLs:
- hxxp://www.i-tony.net/images/rn.php
- hxxp://164.132.120.220/view/ra64.css
- wdwefwefwwfewdefewfwefw.onion
Shown above: Screenshot of the email.
HEADER INFORMATION:
- Date: Friday, 2017-12-29 at 14:44 UTC
- Message-ID: <32C8817A21F5D320FCF9B02E0A1F5BF3@car.ocn.ne.jp>
- From: "Universal Rental Services Ltd" <wakaba@car.ocn.ne.jp>
- Subject: Re: Conferma
- Attachment name: Greg resume.zip
MESSAGE TEXT:
Hello,
Here is my resume.
Please consider it as soon as possible.
Happy New Year.
Greg Pettegrew
Email: wakaba@car.ocn.ne.jp
Shown above: Zip attachment and extracted JSE file.
TRAFFIC
Shown above: HTTP traffic from the infection filtered in Wireshark.
Shown above: Tor traffic from the infection filtered in Wireshark.
ASSOCIATED DOMAINS:
- 31.11.33.145 port 80 - www.i-tony.net - GET /images/rn.php (JSE file retreiving Dreambot executable)
- 164.132.120.220 port 80 - 164.132.120.220 - GET /view/ra64.css (Dreambot post-infection traffic)
- 198.105.244.228 port 80 - wdwefwefwwfewdefewfwefw.onion - GET /images/[long string of characters].jpeg (Dreambot post-infection traffic)
- 198.105.244.228 port 80 - wdwefwefwwfewdefewfwefw.onion - GET /images/[long string of characters].gif (Dreambot post-infection traffic)
- various IP addresses on various ports - various domains - Tor traffic caused by Dreambot
MALWARE
EMAIL ATTACHMENT (ZIP ARCHIVE):
- SHA256 hash: 12bf51f905667a25261b55b7dd9e9812e09673617d79d267af749073d43b2cc3
File size: 1,154 bytes
File name example: Greg resume.zip
EXTRACTED JSE FILE:
- SHA256 hash: 67fdeb838110c94957d475841c4ff3827db59e4c6ef628dc57e9199aeb543512
File size: 2,169 bytes
File name example: CV-Pettegrew.jse
DREAMBOT EXECUTABLE:
- SHA256 hash: 1fa7952beab93e9522021fa7ed2231605a573f3fa3f68f1d5e609673a4321138
File size: 1,392,128 bytes
File location: C:\Users\[username]\AppData\Local\Temp\3a09.scr
File location: C:\Users\[username]\AppData\Roaming\Microsoft\Audipnet\devmprov.exe
IMAGES
Shown above: Some alerts from Sguil in Security Onion using Suricata and the EmergingThreats Pro (ETPRO) ruleset.
Shown above: Malware persistent on the infected Windows host.
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the pcap: 2017-12-29-traffic-from-malspam-pushing-Dreambot.pcap.zip 18.5 MB (18,457,139 bytes)
- Zip archive of the email and malware: 2017-12-29-malspam-pushing-Dreambot-email-and-malware.zip 651 kB (650,891 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.