Meta ===== From: Procurement – site@hamnc.com Subject: Purchase Order Attachment: Company Profile, Product Specification And Trial Order.pdf.img Running this in my VM I am seeing the usual call to get the external IP address of the system (api.ipify.org) and then the data exfil via mail.gandi.net over port 587 (TCP). The…
I came across this sample yesterday via my usual method – the email filters. The email is your pretty standard stuff acting as a proposal for an order. Once you open the zip file, there is an executable. From here, the fun began. For the artifacts/logs/PCAP from this analysis, please…
Yesterday I came across some malspam that I have not seen before and thought that I would do a quick entry for it. This particular malware sits quietly in the background and looks for crypto currency addresses being copied and pasted between applications/pages. The interesting part of this is that…
Just a quick post about some emotet malspam from this morning. Pretty standard from what I can tell. For the artifacts, ProcMon log, and PCAP, please see the repo here. IOC: ===== http://kcespolska.pl//Details/2019-01 69.16.238.96:80 / hxxp://greenplastic.com/hUYu36qNEQ 134.0.11.142:80 / hxxp://stats.emalaya.org/gWItwAFU hxxp://innio.biz/rg1n590 hxxp://kiot.coop/yzc2cJzANO hxxp://atkcgnew.evgeni7e.beget.tech/HkHe3fKTc 200.43.114.10:8080 TCP Artifacts: =========== File name: 190118-Untitled-1653.doc File…
**2019-01-07** After talking with some researches about this malware via this Twitter thread, the JAR file is only the delivery mechanism for the VB script inside it. Once the JAR file has been unpacked; the VB script executed that sends traffic to 31.171.152.106:2522 is related to the Adwind RAT. The…
Here is a quick writeup of some DarkComet RAT malspam that I was able to find this morning. The infection method is leveraging the standard RTF buffer overflow technique (CVE-2017-11882). For more information about what DarkComet is, please see the following link: http://www.contextis.com/en/blog/malware-analysis-dark-comet-rat All artifacts can be found over at…
While looking through the email filters this morning, I came across several emails that had malicious Word docs attached to them. The sender was the same for all the emails along with the document that was attached. This is a write-up of what I was able to get from the…
This is a quick write-up of some Agent Telsa malspam that I was able to find within our email filters. For a good overview of what this malware is and how it works, please see the following links: http://krebsonsecurity.com/2018/10/who-is-agent-tesla/ http://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html For the artifacts found from this investigation, please see my…
Looking through the email filters in on the 18th of September, I managed to find a small batch of emotet emails from the same sender. The emails themselves tried to spoof email addresses, but Outlook ended up displaying both emails (the spoof and the true sender). Looking through the small…
A quick write-up on this Remcos malspam. Some other previous entries that I have done aboutr Remcos can be found below: http://www.herbiez.com/?p=1106 http://www.herbiez.com/?p=1073 All the emails seem to come from the sender info@yusheng-wiremesh.com with the subject of “Returned Funds fort Invoice DFER4567 July Despatch.” The malspam also comes with an…