Malware-Traffic-Analysis.net - 2025-05-27: VIP Recovery infection from email attachment

2025-05-27 (TUESDAY): VIP RECOVERY INFECTION FROM EMAIL ATTACHMENT

NOTES:

Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website.

ASSOCIATED FILES:

2025-05-27-IOCs-for-VIP-Recovery-infection.txt.zip 1.3 kB (1,280 bytes)
2025-05-27-VIP-recovery-malspam-0714-UTC.eml.zip 727.3 kB (727,331 bytes)
2025-05-27-VIP-recovery-infection-traffic.pcap.zip 26.1 kB (26,084 bytes)
2025-05-27-VIP-recovery-malware.zip 1.4 MB (1,417,042 bytes)

2025-05-27 (TUESDAY): VIP RECOVERY INFECTION FROM EMAIL ATTACHMENT

SELECT EMAIL HEADERS:

- Received: from uyumelektrik.com (unknown [198.55.98[.]69]) 
  [info removed]; Tue, 27 May 2025 07:14:35 +0000 (UTC)
- From: =?UTF-8?B?IlR1cmFuIETEsE5DIg==?= 
- Subject: KABLO
- Date: 27 May 2025 00:14:36 -0700
- Message-ID: <20250527001435.3CCCD0212B127193@uyumelektrik[.]com>
- filename: UYUM ELK.İNŞ Fiyat Talebi Hk... 2000 adet 2025007586311133_250527132701.r01

ASSOCIATED FILES:

- SHA256 hash: 263f18680b864de7c8d5edd7622f07606205201976c755dd7fa98c80a8a770d4
- File size: 696,751 bytes
- File name: UYUM ELK.İNŞ Fiyat Talebi Hk... 2000 adet 2025007586311133_250527132701.r01
- File type: RAR archive data, v4, os: Win32

- SHA256 hash: aaf37584883937059e00508a1dfe72df4148efef238b4e86038902f968f220c1
- File size: 794,624 bytes
- File name: UYUM ELK.İNŞ Fiyat Talebi Hk... 2000 adet 2025007586311133_250527132701.exe
- File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
- Persistent file location: C:\Users\[username]\AppData\Roaming\gCmiVoeYUJc.exe

INFECTION TRAFFIC:

Date/Time                IP address         Port  Domain name                 Info
-----------------------  -----------------  ----  --------------------------  ------------------------
2025-05-27 19:32:31 UTC  132.226.247[.]73   80    checkip.dyndns[.]org        GET / HTTP/1.1 
2025-05-27 19:32:31 UTC  132.226.247[.]73   80    checkip.dyndns[.]org        GET / HTTP/1.1 
2025-05-27 19:32:31 UTC  104.21.64[.]1      443   reallyfreegeoip[.]org       HTTPS traffic
2025-05-27 19:32:32 UTC  132.226.247[.]73   80    checkip.dyndns[.]org        GET / HTTP/1.1 
2025-05-27 19:32:32 UTC  132.226.247[.]73   80    checkip.dyndns[.]org        GET / HTTP/1.1 
2025-05-27 19:32:32 UTC  132.226.247[.]73   80    checkip.dyndns[.]org        GET / HTTP/1.1 
2025-05-27 19:32:33 UTC  132.226.247[.]73   80    checkip.dyndns[.]org        GET / HTTP/1.1 
2025-05-27 19:32:33 UTC  132.226.247[.]73   80    checkip.dyndns[.]org        GET / HTTP/1.1 
2025-05-27 19:32:33 UTC  132.226.247[.]73   80    checkip.dyndns[.]org        GET / HTTP/1.1 
2025-05-27 19:32:33 UTC  132.226.247[.]73   80    checkip.dyndns[.]org        GET / HTTP/1.1 
2025-05-27 19:32:34 UTC  132.226.247[.]73   80    checkip.dyndns[.]org        GET / HTTP/1.1 
2025-05-27 19:32:34 UTC  149.154.167[.]220  443   api.telegram[.]org          HTTPS traffic
2025-05-27 19:32:40 UTC  5.2.84[.]41        587   mail.testeremarketim[.]com  unencrypted SMTP traffic

SELECT HEADERS OF EMAIL SENT FOR DATA EXFILTRATION:

- From: info@testeremarketim[.]com
- To: phinametics247@gmail[.]com
- Date: 27 May 2025 19:32:48 +0000
- Subject:  Pc Name: user1 | / VIP Recovery \

Click here to return to the main page.