2018-04-24 - INFECTION TRAFFIC, EMAIL EXAMPLES, AND MALWARE FROM 3 MALSPAM CAMPAIGNS
HANCITOR MALSPAM:
- 2018-04-24-Hancitor-malspam-30-email-examples.txt.zip 9.0 kB (8,968 bytes)
- 2018-04-24-Hancitor-malspam-infection-traffic.pcap.zip 2.5 MB (2,516,999 bytes)
- 2018-04-24-Hancitor-malspam-infection-artifacts.zip 294 kB (293,913 bytes)
TRICKBOT MALSPAM:
- 2018-04-24-Trickbot-malspam-email-example-1150-UTC.eml.zip 47 kB (46,921 bytes)
- 2018-04-24-Trickbot-malspam-infection-traffic.pcap.zip 8.0 MB (7,956,973 bytes)
- 2018-04-24-Trickbot-malspam-infection-artifacts.zip 231 kB (231,011 bytes)
POSSIBLE NECURS BOTNET MALSPAM PUSHING ARS STEALER/ASPC BOT & FLAWEDAMMYY:
- 2018-04-24-malspam-tracker-8-examples.csv.zip 1 kB (1,012 bytes)
- 2018-04-24-malspam-infection-traffic.pcap.zip 1.2 MB (1,154,194 bytes)
- 2018-04-24-malspam-emails-malware-and-artifacts.zip 670 kB (670,224 bytes)
- 200-VBS-files-from-blumblummpg.com.zip 7.0 MB (6,952,124 bytes)
NOTES AND IMAGES FOR POSSIBLE NECURS BOTNET WAVE:
- Email --> .zip attachment --> Extracted .url file --> retrieves .vbs file over SMB --> .vbs file retrieves follow-up malware over HTTP.
Shown above: .url file causeing SMB traffic to blumblummpg.com to retrieve a .vbs file.
Shown above: Port 80 HTTP POSTs are ARS Stealer/ASPC Bot traffic. Port 443 traffic is FlawedAmmyy.
Shown above: Some alerts on the traffic from Sguil in Security Onion using Suricata and the EmergingThreats Pro (ETPRO) ruleset.
FINAL NOTES
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.