2018-01-04 - MALSPAM PUSHING PCRAT/GH0ST

ASSOCIATED FILES:

  • 2018-01-04-PCRat-gh0st-traffic.pcap   (5,009 bytes)
  • 2018-01-04-malspam-pushing-PCRat-Gh0st-1813-UTC.txt   (256,098 bytes)
  • RasTls.dat   (149,816 bytes)
  • RasTls.dll   (45,056 bytes)
  • RasTls.exe   (107,848 bytes)
  • Very beautiful.exe   (393,216 bytes)
  • Very beautiful.zip   (185,607 bytes)

NOTES:

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs and domain:

 

EMAIL


Shown above:  Screenshot of the email.

 

EMAIL INFORMATION:

 


Shown above:  Malware extracted from the zip attachment.

 

TRAFFIC


Shown above:  Infection traffic in Wireshark.

 

ASSOCIATED TRAFFIC:

 

MALWARE

ZIP ARCHIVE FROM THE MALSPAM:

MALICIOUS EXECUTABLE EXTRACTED FROM THE ZIP ARCHIVE:

EXECUTABLE FROM THE INFECTED WINDOWS HOST:

DLL FROM THE INFECTED WINDOWS HOST:

WINDOWS REGISTRY ENTRY FOR PERSISTENCE:

 

IMAGES


Shown above:  TCP stream from the post-infection traffic.

 


Shown above:  Alert from Sguil on the post-infection traffic in Security Onion using Suricata and the EmergingThreats ruleset.

 


Shown above:  Registry key and associated files on the infected Windows host

 


Shown above:  Apparently, a legitimate file abused by various malware families for DLL side-loading.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.