2017-09-22 - BOLETO MALSPAM - SUBJ: ENVIO DE BOLETO - URGENTE - GRUPO FREITAS

ASSOCIATED FILES:

  • 2017-09-22-Boleto-malspam-traffic.pcap   (865,555 bytes)
  • 1508201700016067882247230289631.pdf   (9,198 bytes)
  • 2017-09-22-Boleto-malspam-1758-UTC.eml   (68,488 bytes)
  • 250920178234282343294329423.exe   (356,352 bytes)
  • E-Enviar.txt   (21 bytes)
  • EQATEC.Analytics.Monitor.dll   (160,768 bytes)
  • FiddlerCore.dll   (430,424 bytes)
  • FiddlerRoot.cer   (950 bytes)
  • chaves3.zip   (400,460 bytes)
  • idfptray.exe   (5,675,008 bytes)
  • micos.txt   (0 bytes)

NOTES:

 

EMAIL


Shown above:  Screenshot of the email.

 

EMAIL HEADERS:

 


Shown above:  Link seen in the PDF attachment.

 

TRAFFIC


Shown above:  Traffic from this infection filtered in Wireshark.

 

TRAFFIC SEEN USING LINK FROM THE EMAIL:

TRAFFIC SEEN USING LINK FROM THE ATTACHED PDF FILE:

ASSOCIATED DOMAINS AND POST-INFECTION TRAFFIC:

 

FILE HASHES

PDF ATTACHMENT:

DOWNLOADED EXE FILE (SAME FROM EMAIL LINK OR PDF):

FOLLOW-UP EXE MADE PERSISTENT ON THE INFECTED HOST:

 

IMAGES


Shown above:  Artifacts and the associated Windows registry from the infected host.

 


Shown above:  More info on the EXE file made persistent from the Windows registry.

 

FINAL NOTES

Once again, here are the associated files:

Zip files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.