2019-04-24 - BRAZIL MALSPAM PUSHING BANLOAD

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Email:  2019-04-24-associated-malspam.zip   2.4 kB (2,434 bytes)

• 2019-04-23-Brasil-malspam-0959-UTC.eml   (5,576 bytes)

• Traffic:  2019-04-24-Banload-infection-traffic-from-Brazil-malspam.pcap.zip   9.3 MB (9,340,090 bytes)

• 2019-04-24-Banload-infection-traffic-from-Brazil-malspam.pcap   (9,767,131 bytes)

• Malware:  2019-04-24-Banload-malware-and-artifacts.zip   10.5 MB (10,517,224 bytes)

• docx-master.zip   (857,356 bytes)
• TextInputDocsx.exe   (2,184,192 bytes)
• 2019-04-24-Windows-registry-update-from-Banload-malware.txt   (688 bytes)
• 1839BB57A6334E8BAC7A0D45930D3104/Ped   (0 bytes)
• 1839BB57A6334E8BAC7A0D45930D3104/e2J3c6H1R4.cmd   (16,760 bytes)
• 1839BB57A6334E8BAC7A0D45930D3104/jli.dll   (617,149,334 bytes)
• 1839BB57A6334E8BAC7A0D45930D3104/msvcr100.dll   (773,968 bytes)

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domain and URLs:

• freedow[.]ml
• hxxp[:]//iblservicosonline[.]com/arquivos?correios.php?AR=BG834468474BRrastreamentoobjetos/sistemas.html
• hxxp[:]//iblservicosonline[.]com/arquivos/?correios.php?AR=BG834468474BRrastreamentoobjetos/sistemas.html
• hxxps[:]//codeload.github[.]com/cbgfd102020/docx/zip/master

 

EMAIL HEADERS

Shown above:  Screenshot from today's example of Banload malspam.

 

EMAIL HEADERS FROM TODAY'S BANLOAD MALSPAM EXAMPLE:

Received: from [139.99.75[.]19] ([139.99.75[.]19:40118] helo=z17.autocontabil[.]com) by [removed]
        (envelope-from <ubuntu@z17.autocontabil[.]com>) [removed];
        Tue, 23 Apr 2019 06:00:38 -0400
Received: by z17.autocontabil.com (Postfix, from userid 1000)
        id 2F743346B9; Tue, 23 Apr 2019 06:59:08 -0300 (-03)
Subject: Segue o codigo de rastreio (BG83446844BR) №   (926390)
X-PHP-Originating-Script: 1000:javali.php
X-Mailer: Microsoft Office Outlook, Build 17.551210
To: [removed]
From: Sedex Brasil <rastreamento.web@correios[.]com[.]br>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="923ccb3261e6bd916018c459b0b3e350"
Message-Id: <20190423095908.2F743346B9@z17.autocontabil[.]com>
Date: Tue, 23 Apr 2019 06:59:08 -0300 (-03)

 

Shown above:  Malicious file downloaded from link in the malspam.

 

TRAFFIC

 

Shown above:  Traffic from today's infection filtered in Wireshark.

 

TRAFFIC FROM AN INFECTED WINDOWS HOST:

• 145.239.28[.]18 port 80 - iblservicosonline[.]com - GET /arquivos?correios.php?AR=BG834468474BRrastreamentoobjetos/sistemas.html
• 145.239.28[.]18 port 80 - iblservicosonline[.]com - GET /arquivos/?correios.php?AR=BG834468474BRrastreamentoobjetos/sistemas.html
• port 443 - codeload.github[.]com - GET /cbgfd102020/docx/zip/master   (HTTPS)
• 54.86.90[.]33 port 26457 - freedow[.]ml - TCP traffic caused by malware downloaded from fake Sedex Brazil email

 

Shown above:  Traffic over TCP port 26457 caused by the malware.

 

Shown above:  Alerts from Security Onion using Suricata and the EmergingThreats Pro (ETPRO) ruleset.

 

Shown above:  Some alerts noted from the Any.Run analysis of this malware.

 

FILE HASHES

MALWARE RETRIEVED FROM MY INFECTED WINDOWS HOST:

• SHA256 hash:  e85afeb0fd9e7550394b84ccb1857a4789b5a99daee4e1c859a3eb70ae4a3c15
  File size:  857,356 bytes
  File name:  docx-master.zip
  File description:  .zip archive downloaded from link in fake Sedex Brazil email.

• SHA256 hash:  53c614141a6b646dc043d11271ca5dd97cd36f507c245bc1530aadba1504dcbe
  File size:  2,184,192 bytes
  File name:  TextInputDocsx.exe
  File description:  Extracted executable from the above .zip archive.
  Any.Run analysis:  https://app.any.run/tasks/36766419-89dc-40c9-b91a-31de2baa1b2e
  

• SHA256 hash:  292faa4845074907ca7f40c084d939f62286e2001e9c0af405ff9a33338e50d8
  File size:  16,760 bytes
  File name:  e2J3c6H1R4.cmd
  File description:  Legitimate Java Platform SE binary jjs.exe.  Designed to load/run any file named jli.dll.

• SHA256 hash:  e4e6ecb888b43073c622d177bc70fb12046652645a10bfa1b99152f83df21a49
  File size:  617,149,334 bytes
  File name:  jli.dll
  File description:  Banload malware DLL.

 

Click here to return to the main page.