2018-04-24 - INFECTION TRAFFIC, EMAIL EXAMPLES, AND MALWARE FROM 3 MALSPAM CAMPAIGNS

HANCITOR MALSPAM:

• 2018-04-24-Hancitor-malspam-30-email-examples.txt.zip   9.0 kB (8,968 bytes)
• 2018-04-24-Hancitor-malspam-infection-traffic.pcap.zip   2.5 MB (2,516,999 bytes)
• 2018-04-24-Hancitor-malspam-infection-artifacts.zip   294 kB (293,913 bytes)

 

TRICKBOT MALSPAM:

• 2018-04-24-Trickbot-malspam-email-example-1150-UTC.eml.zip   47 kB (46,921 bytes)
• 2018-04-24-Trickbot-malspam-infection-traffic.pcap.zip   8.0 MB (7,956,973 bytes)
• 2018-04-24-Trickbot-malspam-infection-artifacts.zip   231 kB (231,011 bytes)

 

POSSIBLE NECURS BOTNET MALSPAM PUSHING ARS STEALER/ASPC BOT & FLAWEDAMMYY:

• 2018-04-24-malspam-tracker-8-examples.csv.zip   1 kB (1,012 bytes)
• 2018-04-24-malspam-infection-traffic.pcap.zip   1.2 MB (1,154,194 bytes)
• 2018-04-24-malspam-emails-malware-and-artifacts.zip   670 kB (670,224 bytes)
• 200-VBS-files-from-blumblummpg.com.zip   7.0 MB (6,952,124 bytes)

 

NOTES AND IMAGES FOR POSSIBLE NECURS BOTNET WAVE:

• Email --> .zip attachment --> Extracted .url file --> retrieves .vbs file over SMB --> .vbs file retrieves follow-up malware over HTTP.

 

Shown above:  .url file causeing SMB traffic to blumblummpg.com to retrieve a .vbs file.

 

Shown above:  Port 80 HTTP POSTs are ARS Stealer/ASPC Bot traffic.  Port 443 traffic is FlawedAmmyy.

 

Shown above:  Some alerts on the traffic from Sguil in Security Onion using Suricata and the EmergingThreats Pro (ETPRO) ruleset.

 

FINAL NOTES

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.