Malware-Traffic-Analysis.net - 2016-08-18

2016-08-18 - BOLETO CAMPAIGN

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2016-08-18-Boleto-campaign-infection-traffic.pcap.zip 1.4 MB (1,393,754 bytes)

2016-08-18-Boleto-campaign-infection-traffic.pcap (1,913,618 bytes)

2016-08-18-Boleto-campaign-spreadsheets.zip 2.7 kB (2,727 bytes)

2016-08-18-Boleto-campaign-malware-and-artifacts-info.csv (1,764 bytes)

2016-08-18-Boleto-campaign-malspam.csv (3,454 bytes)

2016-08-18-Boleto-campaign-malspam.zip 23.7 kB (23,674 bytes)

2016-08-18-Boleto-malspam-0056-UTC.eml (1,847 bytes)

2016-08-18-Boleto-malspam-0108-UTC.eml (1,798 bytes)

2016-08-18-Boleto-malspam-0114-UTC.eml (1,826 bytes)

2016-08-18-Boleto-malspam-0209-UTC.eml (1,841 bytes)

2016-08-18-Boleto-malspam-0245-UTC.eml (1,834 bytes)

2016-08-18-Boleto-malspam-0326-UTC.eml (1,830 bytes)

2016-08-18-Boleto-malspam-0416-UTC.eml (1,830 bytes)

2016-08-18-Boleto-malspam-0422-UTC.eml (1,843 bytes)

2016-08-18-Boleto-malspam-0508-UTC.eml (1,807 bytes)

2016-08-18-Boleto-malspam-0510-UTC.eml (1,838 bytes)

2016-08-18-Boleto-malspam-0759-UTC.eml (1,807 bytes)

2016-08-18-Boleto-malspam-0805-UTC.eml (1,796 bytes)

2016-08-18-Boleto-malspam-0853-UTC.eml (1,806 bytes)

2016-08-18-Boleto-malspam-1005-UTC.eml (1,834 bytes)

2016-08-18-Boleto-malspam-1625-UTC.eml (1,807 bytes)

2016-08-18-Boleto-malspam-1705-UTC.eml (1,842 bytes)

2016-08-18-Boleto-malspam-1828-UTC.eml (1,854 bytes)

2016-08-18-Boleto-campaign-malware-and-artifacts-from-infected-host.zip 1.4 MB (1,397,952 bytes)

17082016Ra7vwUMc2fXGHNJHgJHKymv120Y2yjk2s.vbs (1,088 bytes)

Ionic.Zip.Reduced.dll (253,440 bytes)

RABBIT-PC.aes (16 bytes)

RABBIT-PC.zip (1,079,291 bytes)

aaaaaaaaaaaa.xml (3,370 bytes)

dll.dll.exe (396,480 bytes)

kxqkvvlq.0ud.vbs (7,775 bytes)

tmp315F.tmp (0 bytes)

tmp315F.tmpps1 (3,440 bytes)

tmp756E.tmp (11,548 bytes)

tmpAF34.tmp (11,548 bytes)

vt2itszs.jm3.vbs (338 bytes)

EMAILS

Shown above: Data from the spreadsheet (1 of 2).

Shown above: Data from the spreadsheet (2 of 2).

Shown above: Example of the emails.

EMAIL DETAILS

EXAMPLES OF SENDING EMAIL ADDRESSES:

cobranca@contratocobrancas[.]top
cobranca@entregaregistrada[.]top
financeiro@louislittadvocacia[.]top
financeiro@maxcobrancas[.]xyz
financeiro@paybackcobrancas[.]top
financeiro@pearsonhardman[.]xyz

EXAMPLES OF SUBJECT LINES:

Boleto Bancario via eletronica - LLITT - URGENTE
Boleto Bancario via eletronica - MAXCOB - URGENTE
Boleto Bancario via eletronica - PAYBACK - URGENTE
Boleto Bancario via eletronica - PH ADVOGADOS - URGENTE
Boleto de Cobranca - ENTREGA - URGENTE
Boleto de Cobranca - FIX - URGENTE

DOMAINS FROM LINKS IN THE EMAILS:

contratocobrancas[.]top
entregaanexo[.]top
entregaexpress[.]top
entregaregistrada[.]top
envio[.]top
envioregistrado[.]biz
enviosistema[.]top
jessicapearson[.]top
pearsonhardman[.]top
pearsonhardmanlitt[.]top
sendbolfast[.]top

TRAFFIC

Shown above: Traffic from the pcap filtered in Wireshark.

ASSOCIATED DOMAINS:

cdnfiles.4shared[.]com - VBS file from download link in the malspam
65.181.125[.]193 port 80 - 65.181.125[.]193 - GET /a35new/w7.txt
65.181.125[.]193 port 80 - 65.181.125[.]193 - GET /a35new/aw7.tiff
65.181.125[.]193 port 80 - 65.181.125[.]193 - GET /a35new/w7.zip
65.181.113[.]187 port 80 - www.devyatinskiy[.]ru - HTTP callback traffic
65.181.125[.]193 port 80 - 65.181.125[.]193 - GET /a35new/dll.dll
65.181.125[.]193 port 80 - 65.181.125[.]193 - GET /a35new/dll.dll.exe
65.181.113[.]204 port 443 - ssl.houselannister[.]top - IRC traffic (botnet command and control)
198.105.244[.]228 port 443 - xxxxxxxxxxx.localdomain - Attempted TCP connections RST by server

imestre.danagas[.]ru - Response 192.64.147[.]142 - no follow-up UDP or TCP connection
imestre.noortakaful[.]top - No response
imestre.waridtelecom[.]top - No response
imestre.aduka[.]top - No response
imestre.saltflowinc[.]top - No response
imestre.moveoneinc[.]top - No response
imestre.cheddarmcmelt[.]top - No response
imestre.suzukiburgman[.]top - No response
imestre.houselannister[.]top - response: 127.0.0[.]1
xxxxxxxxxxx.localdomain - No response

Click here to return to the main page.