2017-10-27 - MALSPAM PUSHING REMCOS RAT

ASSOCIATED FILES:

  • 2017-10-27-Remcos-RAT-traffic.pcap   (6,248 bytes)
  • 2017-10-26-malspam-pushing-Remcos-RAT-1743-UTC.eml   (264,118 bytes)
  • July_QUYEN0726.xls   (107,520 bytes)
  • Quotation_VANPHUONGNAM_2432_102617_xls.arj   (191,738 bytes)
  • Quotation_VANPHUONGNAM_2432_102617_xls.exe   (847,872 bytes)
  • filename.vbe.txt   (382 bytes)

 

NOTES:

 

EMAIL


Shown above:  Screenshot from the email.

 

EMAIL HEADERS:

 


Shown above:  Malicious attachment from the malspam.

 

TRAFFIC


Shown above:  Remcos RAT post-infection traffic from the infection filtered in Wireshark.

 


Shown above:  Alerts on the post-infection traffic from the Emerging Threats Pro (ET Pro) ruleset using Sguil on Security Onion.

 

POST-INFECTION TRAFFIC:

 

FILE HASHES

EMAIL ATTACHMENT:

EXECUABLE EXTRACTED FROM THE ARJ ARCHIVE:

DECOY SPREADSHEET OPENED ON THE VICTIM'S DESKTOP (NOT MALICIOUS):

VBE FILE IN STARTUP FOLDER FOR MALWARE PERSISTENCE:

 

IMAGES


Shown above:  Running the extracted executable on a Windows host.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.