2017-03-22 - BANLOAD INFECTION FROM BRAZIL MALSPAM

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-03-22-Banload-infection-traffic.pcap.zip   8.9 MB (8,938,153 bytes)

• 2017-03-22-Banload-infection-traffic.pcap   (9,499,306 bytes)

• 2017-03-22-Banload-malspam-3-examples.zip   3.4 kB (4,392 bytes)

• 2017-03-22-Banload-malspam-0152-UTC.eml   (2,235 bytes)
• 2017-03-22-Banload-malspam-1404-UTC.eml   (2,259 bytes)
• 2017-03-22-Banload-malspam-1508-UTC.eml   (2,257 bytes)

• 2017-03-22-malware-from-Banload-infection.zip   8.7 MB (8,732,067 bytes)

• NotaFiscal_22032017- Completa.exe   (1,929,728 bytes)
• NotaFiscal_22032017.zip   (898,583 bytes)
• Unedrcovertoolz0.exe   (120,688,640 bytes)

 

EMAILS

Shown above:  An example of the emails.

 

SUBJECT LINES:

• Subject:  NF-e Nacional - Serie 20 - Doc. N. 6-032017
• Subject:  NF-e Nacional - Serie 12 - Doc. N. 19388-032017
• Subject:  NF-e Nacional - Serie 20 - Doc. N. 61754-032017

 

TRAFFIC

Shown above:  Pcap of the infection traffic filtered in Wireshark.

 

DOWNLOAD URLS FROM THE EMAILS:

• www.financeiro-doc[.]com[.]br/notafiscal/?pdf-douglassantos@detran[.]es[.]gov[.]br=0D
• www.financeiro-doc[.]com[.]br/notafiscal/?xml-douglassantos@detran[.]es[.]gov[.]br=0D
• www.docprintbrasil[.]com[.]br/nfe/?pdf-a-silva@bx[.]jp[.]nec[.]com=0D
• www.docprintbrasil[.]com[.]br/nfe/?xml-a-silva@bx[.]jp[.]nec[.]com=0D
• www.docprintbrasil[.]com[.]br/nfe/?pdf-andre.ffranco@uol[.]com[.br=0D
• www.docprintbrasil[.]com[.]br/nfe/?xml-andre.ffranco@uol[.]com[.]br=0D

INFECTION ATTEMPT:

• 108.179.253[.]77 port 80 - www.docprintbrasil[.]com[.]br - GET /nfe/?xml-andre.ffranco@uol[.]com[.]br%0D
• 199.101.134[.]176 port 443 - dc720.4shared[.]com - GET /download/1eFIdS__ei?sbsr=c51[long string of characters]   [HTTPS]
• 191.6.202[.]84 port 80 - www.selfstudy[.]com[.]br - GET /sempre/Unedrcovertoolz0.zip
• 177.12.161[.]30 port 80 - www.gumos[.]com[.]br - GET /sempre/notify.php

 

FILE HASHES

DOWNLOADED ZIP ARCHIVE FROM LINK IN THE EMAIL:

• SHA256 hash:  631a104bf3af15a447c19bf57a2144956c435037b0dcb035a27dbacddfdcb75b
  File name:  NotaFiscal_22032017.zip
  File size:  898,583 bytes

EXTRACTED MALWARE:

• SHA256:  d1bef41cd683e345052aca32cc43941dd529f16994233de984a2941c82f992a2
  File name:  NotaFiscal_22032017- Completa.exe
  File size:  1,929,728 bytes

FOLLOW-UP DOWNLOAD ON INFECTED HOST:

• SHA256:  545d75d3185890fd88fdbf055f5ab97c51f96c94741b9e05edd784de9d29c43d
  File name:  C:\Users\[username]\AppData\Local\GamesAlok0\Unedrcovertoolz0.exe
  File size:  120,688,640 bytes

 

IMAGES

Shown above:  Malware from the link in the email.

 

Shown above:  Malware seen on the infected host.

 

Click here to return to the main page.