Malware-Traffic-Analysis.net - 2018-07-17 - Necurs Botnet malspam uses .iqy files to push Flawed Ammyy RAT

2018-07-17 - NECURS BOTNET MALSPAM USES .IQY FILES TO PUSH FLAWED AMMYY RAT

ASSOCIATED FILES:

2018-07-17-Necurs-Botnet-malspam-2-email-examples.zip 1.5 kB (1,475 bytes)
2018-07-17-Necurs-Botnet-pushing-Flawed-Ammyy-traffic.pcap.zip 448 kB (446,736 bytes)
2018-07-17-malware-from-Necurs-Botnet-Flawed-Ammyy-infection.zip 320 kB (320,136 bytes)

CHAIN OF EVENTS:

malspam --> .iqy attachment --> Flawed Ammyy RAT

EMAILS

TWO MALSPAM EXAMPLES:

Received: from 187-7-37-160.fnses700.ipd.brasiltelecom.net.br ([187.7.37.160])
Date/Time: 2018-07-17 15:28 UTC
From: Diann <diann.greenhalgh03@didgeridoo.es>
Subject: PDF_38995
Attachment: PDF_38995.iqy

Received: from static-190-25-217-104.static.etb.net.co ([190.25.217.104])
Date/Time: 2018-07-17 15:28 UTC
From: Diann <diann.greenhalgh03@didgeridoo.es>
Subject: PDF_38995
Attachment: PDF_38995.iqy

TRAFFIC

Shown above: Infection traffic filtered in Wirehshark.

TRAFFIC FROM AN INFECTED WINDOWS HOST:

169.239.129.23 port 80 - t99c.com - GET/A
169.239.129.23 port 80 - t99c.com - GET/B
169.239.129.23 port 80 - t99c.com - GET/donate
185.99.132.128 port 443 - Flawed Ammyy post-infection traffic

MALWARE

ASSOCIATED MALWARE:

SHA256 hash: 727ce79b953cdc1316fbb66decf8e3463dd0c59ac600b3fba77d1cefc35d9871
File size: 25 bytes
File name: PDF_38995.iqy
File description: Malspam attachment, Excel-based Internet Query (.iqy) file

SHA256 hash: c2080983598643a2498d1f6ef3f1cc9dc58a784a69e3f313f18dc1b8e0afbc17
File size: 659,968 bytes
File location: C:\Users\[username]\AppData\Local\Temp\cls.exe
File description: Flawed Ammyy RAT

FINAL NOTES

Once again, here are the associated files:

2018-07-17-Necurs-Botnet-malspam-2-email-examples.zip 1.5 kB (1,475 bytes)
2018-07-17-Necurs-Botnet-pushing-Flawed-Ammyy-traffic.pcap.zip 448 kB (446,736 bytes)
2018-07-17-malware-from-Necurs-Botnet-Flawed-Ammyy-infection.zip 320 kB (320,136 bytes)

Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.