2017-10-06 - BOLETO MALSPAM - SUBJ: ENVIO DE BOLETO - URGENTE - GRUPO FREITAS

ASSOCIATED FILES:

  • 2017-10-06-Boleto-malspam-traffic.pcap   (4,339,019 bytes)
  • 1508201700016067882247230289631.pdf   (49,198 bytes)
  • 2017-10-04-Boleto-malspam-2315-UTC.eml   (66,994 bytes)
  • 2017-10-06-Boleto-malspam-0609-UTC.eml   (68,505 bytes)
  • 250920170000006734569912369086500998.pdf   (48,063 bytes)
  • 2609201700084745873458920923497456823489234792.vbs.txt   (25,728 bytes)
  • HKCU-Software-SYSPROUSTPC-SYS-base64string.txt   (5,120 bytes)
  • HKCU-Software-SYSPROUSTPC-SYS-decoded-text.txt   (3,736 bytes)
  • HKCU-Software-SYSPROUSTPC56-SYPROUSTPC56-decoded-text.txt   (2,973 bytes)
  • HKCU-Software-SYSPROUSTPC56-SYPROUSTPC56-value.txt   (4,218 bytes)
  • Ionic.Zip.Reduced.dll   (253,440 bytes)
  • PROUST-PC.aes   (16 bytes)
  • PROUST-PC.zip   (3,291,290 bytes)
  • PROUST-PCx.ocx   (376 bytes)
  • SYSPROUSTPC56-scheduled-task.txt   (3,374 bytes)
  • SYSPROUSTPC56.exe   (452,608 bytes)
  • c.cer   (905 bytes)
  • crov.exe   (1,690,096 bytes)
  • dll.dll.exe   (396,480 bytes)
  • endqw03j.fpq.vbs.txt   (114 bytes)
  • mmaqzsfa.pej.vbs.txt   (130 bytes)
  • ps.exe   (452,608 bytes)

NOTES:

 

EMAIL


Shown above:  Screenshot of the email (1 of 2).

 


Shown above:  Screenshot of the email (2 of 2).

 

EMAIL HEADERS:

 


Shown above:  Link seen in the PDF attachment.

 


Shown above:  Whether email link or PDF link, you end up with the same file from sendspace.com.

 

TRAFFIC


Shown above:  Traffic from this infection filtered in Wireshark.

 

TRAFFIC FROM 2017-10-06 PDF FILE:

TRAFFIC FROM 2017-10-06 EMAIL LINK:

TRAFFIC FROM 2017-10-04 PDF FILE:

TRAFFIC FROM 2017-10-04 EMAIL LINK:

 

FILE HASHES

PDF ATTACHMENT (1 OF 2):

PDF ATTACHMENT (2 OF 2):

DOWNLOADED VBS FILE:

 

ARTIFACTS

ARTIFACTS FROM THE INFECTED WINDOWS HOST:

REGISTRY UPDATES ON THE INFECTED WINDOWS HOST:

 

IMAGES


Shown above:  Windows Registry updates on the infected host.

 

FINAL NOTES

Once again, here are the associated files:

Zip files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.