2018-01-04 - MALSPAM PUSHING PCRAT/GH0ST

ASSOCIATED FILES:

• Zip archive of the pcap:  2018-01-04-PCRat-gh0st-traffic.pcap.zip   1.7 kB (1,681 bytes)

• 2018-01-04-PCRat-gh0st-traffic.pcap   (5,009 bytes)

• Zip archive of the email, malware, and artifacts:  2018-01-04-PCRat-Gh0st-email-malware-and-artifacts.zip   701 kB (700,875 bytes)

• 2018-01-04-malspam-pushing-PCRat-Gh0st-1813-UTC.txt   (256,098 bytes)
• RasTls.dat   (149,816 bytes)
• RasTls.dll   (45,056 bytes)
• RasTls.exe   (107,848 bytes)
• Very beautiful.exe   (393,216 bytes)
• Very beautiful.zip   (185,607 bytes)

NOTES:

• The zip attachment is password-protected with 123 as stated in the malspam.
• Post-infection activity triggered an EmergingThreats alert for PCRat/Gh0st CnC traffic

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs and domain:

• www.etybh.com

 

EMAIL

Shown above:  Screenshot of the email.

 

EMAIL INFORMATION:

• Date:  Wednesday, 2018-01-03 at 18:13 UTC
• Subject:  Very beautiful
• From:  howie9ball@aol.com
• To:  [a very long list of recipients]
• Message-Id:  <160bd3a471c-171d-2842@webjas-vac003.srv.aolmail.net>
• Attachment name:  Very beautiful.zip

 

Shown above:  Malware extracted from the zip attachment.

 

TRAFFIC

Shown above:  Infection traffic in Wireshark.

 

ASSOCIATED TRAFFIC:

• 98.126.223.218 port 900 - www.etybh.com - PCRat/Gh0st CnC traffic

 

MALWARE

ZIP ARCHIVE FROM THE MALSPAM:

• SHA256 hash:  067d5729b4787fc667c061b027625be4273806c64beacfb6877fc7f182f9ed37
  File size:  185,607 bytes
  File name:  Very beautiful.zip

MALICIOUS EXECUTABLE EXTRACTED FROM THE ZIP ARCHIVE:

• SHA256 hash:  423f4c1f9ba4f184ff6e82db4f01420feb7b76693bdece6402fc2157c0c2f946
  File size:  393,216 bytes
  File name:  Very beautiful.exe

EXECUTABLE FROM THE INFECTED WINDOWS HOST:

• SHA256 hash:  f9ebf6aeb3f0fb0c29bd8f3d652476cd1fe8bd9a0c11cb15c43de33bbce0bf68
  File size:  107,848 bytes
  File location:  C:\Microsoft\TEMP\Networks\Connections\Sementech\sementech\RasTls.exe
  NOTE:  This is apparently a legitimate file abused by various Trojans for DLL side-loading.

DLL FROM THE INFECTED WINDOWS HOST:

• SHA256 hash:  a392f8f96ffc53978b177d844ef17adb09c6329997f29334e5c2029e8f5f18e8
  File size:  45,056 bytes
  File location:  C:\Microsoft\TEMP\Networks\Connections\Sementech\sementech\RasTls.dll

WINDOWS REGISTRY ENTRY FOR PERSISTENCE:

• Registry Key:  HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
• Value name:  Load
• Value Type:  REG_SZ
• Value Data:  cmd /c C:\Microsoft\TEMP\Networks\Connections\Sementech\sementech\RasTls.exe

 

IMAGES

Shown above:  TCP stream from the post-infection traffic.

 

Shown above:  Alert from Sguil on the post-infection traffic in Security Onion using Suricata and the EmergingThreats ruleset.

 

Shown above:  Registry key and associated files on the infected Windows host

 

Shown above:  Apparently, a legitimate file abused by various malware families for DLL side-loading.

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the pcap:  2018-01-04-PCRat-gh0st-traffic.pcap.zip   1.7 kB (1,681 bytes)
• Zip archive of the email, malware, and artifacts:  2018-01-04-PCRat-Gh0st-email-malware-and-artifacts.zip   701 kB (700,875 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.