2017-12-13 - NECURS BOTNET MALSPAM PUSHES TRICKBOT OR GLOBEIMPOSTER RANSOMWARE
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
NOTES:
- I collected a few samples of Necurs Botnet malspam from the past few days.
- The format on some of the messages was wrong, so I fixed those (as noted in the spreadsheet).
- Saw mostly Trickbot, but today (Wednesday 2017-12-13) I got GlobeImposter ransomware from an attachment from yesterday's wave of malpsam.
ASSOCIATED FILES:
- 2017-12-13-Necurs-Botnet-malspam-tracker.csv.zip 2.0 kB (2,036 bytes)
- 2017-12-13-Necurs-Botnet-malspam-tracker.csv (4,914 bytes)
- 2017-12-13-Necurs-Botnet-malspam-and-GlobeImposter-and-Trickbot-malware-samples.zip 5.3 MB (5,298,039 bytes)
- artifacts-and-malware/2017-12-07-Trickbot-sample-OlfXexkXp.exe (384,000 bytes)
- artifacts-and-malware/2017-12-08-Trickbot-sample-agraba8.exe (353,183 bytes)
- artifacts-and-malware/2017-12-11-Trickbot-sample-agraba8.exe (417,300 bytes)
- artifacts-and-malware/2017-12-12-Trickbot-sample-dilaryi8.exe (351,580 bytes)
- artifacts-and-malware/2017-12-12-follow-up-malware-launcher.exe (454,656 bytes)
- artifacts-and-malware/2017-12-13-GlobeImposter-Read___ME.html (4,248 bytes)
- artifacts-and-malware/2017-12-13-GlobeImposter-decryptor-style.css (1,930 bytes)
- artifacts-and-malware/2017-12-13-GlobeImposter-decryptor.html (9,394 bytes)
- artifacts-and-malware/2017-12-13-GlobeImposter-sample-agraba8.exe (137,728 bytes)
- attachments/201712_137702.doc (179,712 bytes)
- attachments/201712_686900.doc (179,712 bytes)
- attachments/201712_692164.doc (179,712 bytes)
- attachments/201712_695977.doc (179,712 bytes)
- attachments/BU1529 - 12.12.2017.doc (157,696 bytes)
- attachments/Invoice INV0000104.7z (2,029 bytes)
- attachments/Invoice INV0000531.7z (2,027 bytes)
- attachments/Invoice INV0000701.7z (2,031 bytes)
- attachments/Invoice INV0000736.7z (2,036 bytes)
- attachments/KQZ05 - 12.12.2017.doc (157,696 bytes)
- attachments/LKU8662 - 12.12.2017.doc (157,696 bytes)
- attachments/QZ12 - 12.12.2017.doc (157,696 bytes)
- attachments/RE-2017-12-12-00091.doc (160,768 bytes)
- attachments/RE-2017-12-12-00166.doc (160,768 bytes)
- attachments/RE-2017-12-12-00268.doc (160,768 bytes)
- attachments/RE-2017-12-12-00630.doc (160,768 bytes)
- attachments/inv-IZR4327938.doc (171,008 bytes)
- attachments/inv-JDS3250467.doc (171,008 bytes)
- attachments/inv-MTY0724350.doc (171,008 bytes)
- attachments/inv-NZW0207188.doc (171,008 bytes)
- emails/2017-12-07-Necurs-Botnet-malspam-0959-UTC.eml (3,753 bytes)
- emails/2017-12-07-Necurs-Botnet-malspam-1005-UTC.eml (3,739 bytes)
- emails/2017-12-07-Necurs-Botnet-malspam-1018-UTC.eml (3,766 bytes)
- emails/2017-12-07-Necurs-Botnet-malspam-1019-UTC.eml (3,738 bytes)
- emails/2017-12-08-Necurs-Botnet-malspam-1410-UTC.eml (243,963 bytes)
- emails/2017-12-08-Necurs-Botnet-malspam-1458-UTC.eml (243,952 bytes)
- emails/2017-12-08-Necurs-Botnet-malspam-1538-UTC.eml (243,952 bytes)
- emails/2017-12-08-Necurs-Botnet-malspam-1611-UTC.eml (243,963 bytes)
- emails/2017-12-11-Necurs-Botnet-malspam-1346-UTC.eml (231,988 bytes)
- emails/2017-12-11-Necurs-Botnet-malspam-1400-UTC.eml (231,999 bytes)
- emails/2017-12-11-Necurs-Botnet-malspam-1417-UTC.eml (231,977 bytes)
- emails/2017-12-11-Necurs-Botnet-malspam-1429-UTC.eml (231,990 bytes)
- emails/2017-12-12-Necurs-Botnet-malspam-0632-UTC.eml (217,484 bytes)
- emails/2017-12-12-Necurs-Botnet-malspam-0655-UTC.eml (217,529 bytes)
- emails/2017-12-12-Necurs-Botnet-malspam-0709-UTC.eml (217,545 bytes)
- emails/2017-12-12-Necurs-Botnet-malspam-0737-UTC.eml (217,536 bytes)
- emails/2017-12-12-Necurs-Botnet-malspam-1111-UTC.eml (222,303 bytes)
- emails/2017-12-12-Necurs-Botnet-malspam-1113-UTC.eml (222,299 bytes)
- emails/2017-12-12-Necurs-Botnet-malspam-1116-UTC.eml (222,345 bytes)
- emails/2017-12-12-Necurs-Botnet-malspam-1229-UTC.eml (219,276 bytes)
- extracted-files/Invoice INV0000138.vbs (4,702 bytes)
- extracted-files/Invoice INV0000383.vbs (4,667 bytes)
- extracted-files/Invoice INV0000398.vbs (4,623 bytes)
- extracted-files/Invoice INV0000699.vbs (4,635 bytes)
- 2017-12-13-infections-from-Necurs-Botnet-malspam-5-pcaps.zip 4.8 MB (4,764,731 bytes)
- 2017-12-07-Necurs-Botnet-malspam-pushes-Trickbot.pcap (1395916 bytes)
- 2017-12-08-Necurs-Botnet-malspam-pushes-Trickbot.pcap (1365419 bytes)
- 2017-12-11-Necurs-Botnet-malspam-pushes-Trickbot.pcap (340354 bytes)
- 2017-12-12-Necurs-Botnet-malspam-pushes-Trickbot.pcap (2034523 bytes)
- 2017-12-13-Necurs-Botnet-malspam-pushes-GlobeImposter-ransomware.pcap (171402 bytes)
Click here to return to the main page.