Malware-Traffic-Analysis.net - 2017-11-28 - Revenge RAT, Luminosity RAT and Predator Pain (Hawkeye) infection from payment slip-themed malspam

2017-11-28 - REVENGE RAT, LUMINOSITY RAT, AND PREDATOR PAIN (HAWKEYE) INFECTION FROM PAYMENT SLIP-THEMED MALSPAM

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2017-11-28-payment-slip-themed-malspam-2-examples.zip 2.8 kB (2,784 bytes)
2017-11-28-Revenge-RAT-and-Luminosity-RAT-and-Predator-Pain-infection-traffic.pcap.zip 3.0 MB (2,959,019 bytes)
2017-11-28-Revenge-RAT-and-Luminosity-RAT-and-Predator-Pain-malware-samples.zip 1.5 MB (1,479,785 bytes)

IMAGES

INDICATORS

EMAILS:

- Date: Tuesday, 2017-11-28 at 15:43 UTC
- Received: from smtp216t.alice[.]it ([82.57.200[.]96]
- From: "Carol Burnham" 
- Subject: Re: Payment Slip

- Date: Tuesday, 2017-11-28 at 16:23 UTC
- Received: from smtp214t.alice[.]it ([82.57.200[.]92])
- From: "Carol Burnham" 
- Subject: Re: Payment Slip

LINK IN THE EMAILS:

- hxxps[:]//www.mediafire[.]com/file/r69l4qkaahm40f6/Payment%20Slip_ID_B03185.zip

POST-INFECTION TRAFFIC:

- 95.141.43[.]196 port 610 - oamentyga.duckdns[.]org - TCP traffic caused by Revenge RAT
- 95.141.43[.]196 port 1472 - oamentyga.duckdns[.]org - TCP traffic caused by Luminosity RAT
- port 80 - whatismyipaddress[.]com - IP address check by Predator Pain malware
- port 587 - smtp.inda[.]com - TLS email traffic caused by Predator Pain malware

MALWARE:

- SHA256 hash: 53e3cbff1c04746f5ad385962cc4df7d8b132ccbb02a848f9aa0c16f2f1e1feb
- File size: 233,506 bytes
- File name: Payment Slip_ID_B03185.zip
- File description: Password-protected zip archive downloaded from link in the malspam (password: Y2vQ9Bx)

- SHA256 hash: f3e6b995f18db127f03f5e6afe4c745086e0b8a83d9f381cc4541486e35e47c5
- File size: 353,051 bytes
- File name: Payment Slip_ID_B03185.scr
- File description: A malware downloader extracted from the above zip archive

- SHA256 hash: 142c6c638938cac678673a8ee85cb5b0b5e50702761221a5f3102697fb09ea11
- File size: 30,577 bytes
- File name: Payment Details_ID_B07185.pdf
- File description: Decoy PDF document displayed when malware is infecting the victim's host (not malicious)

- SHA256 hash: 766995f34c80eb0823cb61808f69c6cd26c791f329981190943c96cb508bc9a7
- File size: 659,456 bytes
- File location: C:\Users\[username]\AppData\Local\Temp\2011
- File location: C:\Users\[username]\AppData\Local\Temp\9258.tmp.exe
- File location: C:\Users\[username]\AppData\Roaming\Y.exe
- File description: Predator Pain/Hawkeye (detected by MSE as MSIL/Golroted.A)

- SHA256 hash: f714539bb5aec24d47180453c156a822cfeaed1ab94a2b847f434443c3f4365a
- File size: 195,584 bytes
- File location: C:\Users\[username]\AppData\Local\Temp\4881
- File location: C:\Users\[username]\AppData\Local\Temp\7140
- File location: C:\Users\[username]\AppData\Local\Temp\wm.exe
- File location: C:\Users\[username]\AppData\Roaming\tUMsK.exe
- File location: C:\Users\[username]\AppData\Roaming\Win.exe
- File description: Revenge RAT

- SHA256 hash: fa1ced1545b7eaf4e7e43608b37d3a6be714c2f61e512f62eeb2c345833b7ee7
- File size: 523,776 bytes
- File location: C:\ProgramData\748152\Windows.exe
- File location: C:\Users\[username]\AppData\Local\Temp\84488699.tmp.exe
- File location: C:\Users\[username]\AppData\Local\Temp\8551
- File location: C:\Users\[username]\AppData\Local\Temp\win.exe
- File location: C:\Users\[username]\AppData\Roaming\QrbbGtzO.exe
- File description: Luminosity RAT

Click here to return to the main page.