2017-05-31 - MALSPAM - SUBJECT: RFQ-DOC

ASSOCIATED FILES:

  • 2017-05-31-malspam-traffic.pcap   (862,006 bytes)
  • RFQ-1.exe   (885,760 bytes)
  • RFQ-1.zip   (845,938 bytes)

NOTES:

 

EMAIL


Shown above:  Screenshot of the email.

 

EMAIL HEADERS:

Received: from [10.98.149.95] (unknown [197.210.25.103]);
        by [removed]
        Wed, 31 May 2017 14:40:21 +0300 (EEST)
Date: Thu, 01 Jun 2017 00:40:06 -0700
From: "Nayab Husain Rizvi" <info@elmechuae.com>
Subject: RFQ-Doc
MIME-Version: 1.0

 

TRAFFIC


Shown above:  Pcap of the traffic filtered in Wireshark.

 

ASSOCIATED DOMAINS

 

MALWARE


Shown above:  ZIP archive and its contents.

 

DOWNLOADED ZIP FILE:

EXTRACTED MALWARE:

 

IMAGES


Shown above:  Malware made persitent on the infected host.

 


Shown above:  Directories created to hold data stolen by the malware.

 


Shown above:  Log of user activity from the infected host.

 


Shown above:  Screenshots stored in some sort of encoded format on the infected host.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.