Packet Analysis – Page 2 – Lost in Security (and mostly everything else)

2020-03-25 Agent Telsa Malspam – Covid-19 Themed

Herbie March 26, 2020 March 26, 2020Packet Analysis

Meta ===== From: World Health Organization Subject: COVID 19: Passaggi Medici Per Essere Sicuri Link in the email: hxxps://onedrive[.]live[.]com/download?cid=265DAF943BE0D06F&resid=265DAF943BE0D06F%21177&authkey=AIGcwdd1XE_CXLM Unlike the other one that I documented here I could not find any method of persistence in this infection. Also, once the EXE from the ISO has been extracted and executed, it created a child process of “RegAsm.exe” to do the heavy lifting while terminating itself as you can see in the below image. This is the process that made the callouts to the couple of IP addresses seen (including data exfil via port 587). Outside of that this was your…

2020-03-23 Agent Telsa Malspam

Herbie March 23, 2020 March 23, 2020Packet Analysis

Meta ===== From: Procurement – site@hamnc.com Subject: Purchase Order Attachment: Company Profile, Product Specification And Trial Order.pdf.img Running this in my VM I am seeing the usual call to get the external IP address of the system (api.ipify.org) and then the data exfil via mail.gandi.net over port 587 (TCP). The interesting thing is the persistence that was setup. Persistence was setup via the Windows Task Scheduler as seen below. The file that is being used in the Task Scheduler has the same hash as the file in the attachment. The location of this file (doQsVLzQv.exe) can be found in the…

2019-07-17 AveMaria InfoStealer/RAT with interesting UAC bypass

Herbie July 17, 2019 July 23, 2019Packet Analysis

I came across this sample yesterday via my usual method – the email filters. The email is your pretty standard stuff acting as a proposal for an order. Once you open the zip file, there is an executable. From here, the fun began. For the artifacts/logs/PCAP from this analysis, please see my Github repo for this here. IOCs: ===== respainc.duckdns.org / 79.134.225.51:28 (TCP) 8.8.8.8:53 (TCP) Artifacts: ========== Microsoft.exe/Quotation.exe a07a5a3100544aceeade42e743218e6a http://www.virustotal.com/gui/file/a52f455f897f54af3e3d1505e686d391171d2f981ba7971b63cc491708b12fee/detection First Submission 2019-07-16 10:12:09 28/67 engines detected this file Path: C:\Users%USERNAME%\AppData\Roaming | %TEMP% dismcore.dll 6b906764a35508a7fd266cdd512e46b1 http://www.virustotal.com/gui/file/fc0c90044b94b080f307c16494369a0796ac1d4e74e7912ba79c15cca241801c/detection First Submission 2018-10-24 20:23:05 51/70 engines detected this file Path: %TEMP% ellocnak.xml 427eb7374887305b72f5c552837c9036 http://www.virustotal.com/gui/file/b3f421780a49cbe680a317259d4df9ce1d0cdaca3020b4df0dc18cc01d68ccbb/detection…

2019-04-12 Crypto/Clipboard Stealer Malspam

Herbie April 13, 2019 April 13, 2019Packet Analysis

Yesterday I came across some malspam that I have not seen before and thought that I would do a quick entry for it. This particular malware sits quietly in the background and looks for crypto currency addresses being copied and pasted between applications/pages. The interesting part of this is that once the user “pastes” the crypto address into the other application/tab, the address is changed to one that the bad actor controls. Playing around with this in my VM, I did not notice it sending anything outbound within Wireshark, and nothing came up in Process Explorer which kind of makes…

2019-01-18 Emotet Malspam

Herbie January 18, 2019 January 18, 2019Packet Analysis

Just a quick post about some emotet malspam from this morning. Pretty standard from what I can tell. For the artifacts, ProcMon log, and PCAP, please see the repo here. IOC: ===== http://kcespolska.pl//Details/2019-01 69.16.238.96:80 / hxxp://greenplastic.com/hUYu36qNEQ 134.0.11.142:80 / hxxp://stats.emalaya.org/gWItwAFU hxxp://innio.biz/rg1n590 hxxp://kiot.coop/yzc2cJzANO hxxp://atkcgnew.evgeni7e.beget.tech/HkHe3fKTc 200.43.114.10:8080 TCP Artifacts: =========== File name: 190118-Untitled-1653.doc File size: 127KB File path: NA MD5 hash: 1ce19abf935240c42b5f2959861c3ccc Virustotal: http://www.virustotal.com/#/file/3553ff9236d640518f6293464d195c54e09923c8ff3778b6d396b269db26d221/detection Detection ratio: 12 / 57 First detected: 2019-01-18 14:51:05 Any.Run: http://app.any.run/tasks/c066703c-130e-4f78-bd1c-18c9f300cb98 File name: ipropwfp.exe File size: 148KB File path: C:\Users\%username%\AppData\Local\ipropwfp MD5 hash: 4ca746d87cf1b5f6135c9f99e7044b2d Virustotal: http://www.virustotal.com/#/file/8a60dc9876ad042a6c957db6414918f33b932aa1fa0bc56799100968d2a992ab/detection Detection ratio: 25 / 69 First detected: 2019-01-18 15:05:53 Any.Run: http://app.any.run/tasks/2b777d77-06bc-430d-85f9-4d4a7abea5c1 / http://app.any.run/tasks/2842a89d-1db7-4993-a2aa-c098311fcd26 / http://app.any.run/tasks/e21438cb-3261-4611-b071-abe0f20d0ca1

2019-01-03 Adwind RAT/Houdini Malspam

Herbie January 4, 2019 January 7, 2019Code, Packet Analysis

**2019-01-07** After talking with some researches about this malware via this Twitter thread, the JAR file is only the delivery mechanism for the VB script inside it. Once the JAR file has been unpacked; the VB script executed that sends traffic to 31.171.152.106:2522 is related to the Adwind RAT. The VB script, and the data POSTed to ‘goz.unknowncrypter.com’ is related to Houdini. This post stems from looking at some malspam that had a JAR file as an attachment from yesterday. I also posted some of the information over on Twitter yesterday too. To see that thread click here. Based on…

2018-11-05 DarkComet Malspam

Herbie November 6, 2018 November 6, 2018Packet Analysis

Here is a quick writeup of some DarkComet RAT malspam that I was able to find this morning. The infection method is leveraging the standard RTF buffer overflow technique (CVE-2017-11882). For more information about what DarkComet is, please see the following link: http://www.contextis.com/en/blog/malware-analysis-dark-comet-rat All artifacts can be found over at my Github repo located here. I also have the memory dump post-infection saved here since it is too large for GitHub. Plus it gives me (and others) the ability to play with some memory forensics via Volatility. 😎 IOCs: ====== 209.90.88.141 / thinker101.5gbfree.com 23.227.201.154:1604 Artifacts: =========== File name: TYN NEW…

2018-10-31 Nanocore Malspam

Herbie November 1, 2018 November 1, 2018Packet Analysis

While looking through the email filters this morning, I came across several emails that had malicious Word docs attached to them. The sender was the same for all the emails along with the document that was attached. This is a write-up of what I was able to get from the malware on my VM. After doing some research it looks as if this malware is related to the Nanocore RAT. For more information about what this RAT is, please see the following link: http://www.stratosphereips.org/blog/2018/9/7/what-do-we-know-about-nanocore-rat-a-review For all the artifacts from this investigation, please see the the Github repo located here. IOCs:…

2018-10-24 Agent Telsa Malspam

Herbie October 24, 2018 October 24, 2018Packet Analysis

This is a quick write-up of some Agent Telsa malspam that I was able to find within our email filters. For a good overview of what this malware is and how it works, please see the following links: http://krebsonsecurity.com/2018/10/who-is-agent-tesla/ http://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html For the artifacts found from this investigation, please see my Github repo located here. IOCs: ===== 208.91.199.225:587 (TCP) Artifacts ======= File name: RFQ-HMA-2120864-18.arj File size: 216K File path: NA MD5 hash: 321a93e4393042bcae84ee695def3e63 Virustotal: http://www.virustotal.com/#/file/a84aafdffc64e7755dd1025781095c3244c9f1389e2e836ac2691ac0fa1a0925/detection Detection ratio: 25 / 56 First Detected: 2018-10-21 10:43:42 File name: RFQ-HMA-2120864-18.exe / tmpG998.tmp / MyOtApp.exe File size: 260K File path: NA / C:\Users\%username%\AppData\Local\Temp / C:\Users\Bill\AppData\Roaming\MyOtApp…

2018-09-18 Emotet maldocs labeled as “Invoices”

Herbie September 22, 2018 September 22, 2018Code, Packet Analysis

Looking through the email filters in on the 18th of September, I managed to find a small batch of emotet emails from the same sender. The emails themselves tried to spoof email addresses, but Outlook ended up displaying both emails (the spoof and the true sender). Looking through the small batch of emails, there were 2 different sets of hashes for the attachments. Below is the table showing the MD5 hashes associated with the maldoc: The artifacts from this can be found over in my Github found here. Another security researcher that has been activly maintaining emotet data (http://twitter.com/ps66uk/status/1042004723866509313) and…