2018-10-02 - RUSSIAN MALSPAM PUSHES REDAMAN MALWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2018-10-02-malspam-pushing-Redaman-malware-0820-UTC.eml.zip   206 kB (205,716 bytes)
• 2018-10-02-Redaman-infection-traffic.pcap.zip   13 kB (12,826 bytes)
• 2018-10-02-Redaman-malware-and-artifacts.zip   573 kB (573,916 bytes)

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domain and URL:

• namecha[.]in
• hxxp[:]//94.156.189[.]28/index.php

 

THE EMAIL

Shown above:  Screenshot from the email.

 

Shown above:  Attached 7-zip archive and the extracted Windows exectuable.

 

EMAIL HEADERS:

Return-Path: <glavzakupka@uyut-dom[.]com>
Received: from mx.majormail.ru (mx.majormail[.]ru [188.65.212[.]203])
        by [removed] for [removed]; Tue,  2 Oct 2018 15:42:20 +0700 (KRAT)
Received: from [195.123.212[.]73] (helo=localhost)
        by mx.majormail[.]ru with esmtpsa (TLS1.2:DHE_RSA_AES_256_GCM_SHA384:256)
        (Exim 4.84_2)
        (envelope-from <glavzakupka@uyut-dom[.]com>)
        id 1g7FvN-0002i0-Fo
        for [removed]; Tue, 02 Oct 2018 11:20:58 +0300
Message-ID: <88165ff1d598b2ba4643f559bfbb91da078eb5@uyut-dom[.]com>
Reply-To: =?utf-8?B?0JLQu9Cw0LTQuNGB0LvQsNCy0LAg0KDRj9Cx0L7QstCw?= <marine.nemcova@yandex[.]ru>
From: =?utf-8?B?0JLQu9Cw0LTQuNGB0LvQsNCy0LAg0KDRj9Cx0L7QstCw?= <glavzakupka@uyut-dom[.]com>
To: [removed]
Subject: =?utf-8?B?0JfQsNC60YDRi9Cy0LDRjtGJ0LjQtSDQtNC+0Lot0Ysg?=
        =?utf-8?B?0L3QsNGH0LDQu9C+INC+0LrRgtGP0LHRgNGP?=
Date: Tuesday, 2 Oct 2018 08:20 UTC
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="ab511a660bdff122fefbb20c28fc91723822"

 

EMAIL:

Date: 2018-10-02 at 08:20 UTC
From: Владислава Рябова <glavzakupka@uyut-dom.com>
Subject: Закрывающие док-ы начало октября

Во вложении документы на 2е сентября.

Надо проверить и вернуть скан акта, подписанного с вашей стороны, на этот адрес.

Attachment name: док-ы начало октября.7z

 

GOOGLE TRANSLATE:

From: Vladislav Ryabov
Subject: closing docs beginning of October

Attached are documents for 2nd of September.

You need to check and return the scan of the act, signed by you, to this address.

Translated attachment name: docs beginning of October.7z

 

TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

TRAFFIC FROM AN INFECTED WINDOWS HOST:

• 104.28.16[.]33 port 443 - namecha[.]in - HTTPS/SSL/TLS traffic
• 94.156.189[.]28 port 80 - 94.156.189[.]28 - POST /index.php

• NOTE: Traffic to 94.156.189[.]28 over TCP port 80 tiggered alerts for ETPRO TROJAN Trojan.Redaman CnC Beacon sid: 2831896

 

MALWARE

MALWARE FROM AN INFECTED WINDOWS HOST:

• SHA256 hash: 0167ebdb288b92562c7b6ed9e9af7d9924cd14b4f9136f6292a3235e49c5a40f
  File size: 196,341 bytes
  File name: док-ы начало октября.7z
  File description: 7-zip archive attached to the malspam

• SHA256 hash: ceb8efb3a3eb1085c61bba4b0a77d1aca1f7b10511497e1521135f18bf67647c
  File size: 326,656 bytes
  File name: док-ы начало октября.exe
  File description: Malware executable extracted from 7-zip archive

• SHA256 hash: d5ccc140d73a5e76154aa15b2015fcd0f022298825430f02b408c38cdc48f79b
  File size: 200,704 bytes
  File location: C:\Users\[username]\AppData\Local\Temp\A36F.tmp   (random hex digits before .tmp)
  File location: C:\ProgramData\kmeemmjh\njjjmgda.ime  (random characters for directory, file name, and extension)
  File description: Redaman malware DLL persistent on infected Windows host

 

IMAGES

Shown above:  Malware persistent on the infected Windows host.

 

Click here to return to the main page.