November 20, 2023
Severity Medium Analysis Summary Agent Tesla is a very popular spyware Trojan built for the.NET framework. Since its initial appearance in 2014, this has been deployed […]
Rewterz Threat Alert – Malspam Campaign Delivering Malicious Files Using Compromised Windstream Email Addresses
June 14, 2019Rewterz Threat Advisory – CVE-2019-1029 – Microsoft Lync Server 2010 / 2013 Denial of Service Vulnerability
June 14, 2019Rewterz Threat Alert – Malspam Campaign Delivering Malicious Files Using Compromised Windstream Email Addresses
June 14, 2019Rewterz Threat Advisory – CVE-2019-1029 – Microsoft Lync Server 2010 / 2013 Denial of Service Vulnerability
June 14, 2019
Severity
Medium
Analysis Summary
A malspam email campaign that has emails with subject lines about love letters and had a zip attachment with a name starting with “Love_You_”. The zip file, when uncompressed, contained a JavaScript file that, upon execution, performed several HTTP requests to download additional malicious executables. These executables were a Monero cryptocurrency miner, Phorpiex spambot malware, and GandCrab ransomware. The Phorpiex spambot malware caused the victim host to be joined to a botnet and begin emailing out copies of the malicious zip file to additional targets. Meanwhile the victim host was infected with ransomware and leveraged to mine crypto-currency.
Impact
File encryption
Indicators of Compromise
IP(s) / Hostname(s)
- 92[.]63[.]197[.]48
- 198[.]105[.]244[.]228
- 78[.]46[.]77[.]98
- 217[.]26[.]53[.]161
- 74[.]220[.]215[.]73
- 136[.]243[.]13[.]215
- 138[.]201[.]162[.]99
URLs
- slpsrgpsrhojifdij[.]ru
- osheoufhusheoghuesd[.]ru
- suieiusiueiuiuushgf[.]ru
- www[.]2mmotorsport[.]biz
- www[.]haargenau[.]biz
- www[.]bizziniinfissi[.]com
- www[.]holzbock[.]biz
- www[.]fliptray[.]biz
- gandcrabmfe6mnef[.]onion
Malware Hash (MD5/SHA1/SH256)
- 72429571f4ca62fceb5a4fc0a17a8f8ab88c1ed01b9d657f7e9778c7939cea06
- 27ac0e9011294c2152d224052280f7fa434df572809a6f96f9a306f3d5c965e3
- 99a1e83e77850b59995cdf29b61e9f29f9c38882363027668030df0a62059645
- 06e61032bccfe0ccd51ddbab480e1eb6392bccb318639ecac0092e96b9d794ad
- 7818e108a16f096eb71feb564ce92095c4ac1e613933630169cc16606bb5f68d
- 0a27af16b991cbe0f5445022cb1d752a9144abeede6b8de0055247e6fd6c1698
- 32ee086fbc82ddd0675c0293656f813493ce6d96d02e0bcbeccee4d1a6adfb20
- 12e3038b2ed0663cba3c6a05ac0a27b61dce694dffc27aafb4cb3f2f229ff6b8
- 6ad3e68e2e8c5088bc8544bc230a2e333645d3c246ace772bf61f80cd0e93002
- 99fe714a365f8e4a74687592700b27f2016a59c7527b5d4ef7cfd97e63468349
- d189f44528dfa3f8dba2632ae26f564a37931cb89668d31402fc7fb05ae63c1a
- c3683096f91b00dfe248e388b4302d5471fb090ab8092c96c991a467c26f26b0
- f3c369edc2ea96465c49a14f64bdce83c0a401e0ae12e809bced8f99b977c5dc
- f4d3ba58e91dc95877ba13804df6fe307ef6efcef74d3a00792387625a624cf4
- 9ff78056e225c08ef1f1ff71f305201387f3ec766c8727361851287a74de1f45
- ba23af4480611fb19fad2cd83a41bd347d183e0ef8e1c5477916bebe32955d87
- cf9a20874089ec7aa1a84a27f74928c71266a684e7fee4c1ac8d37aaf57d6bf2
- 0de30f9dbe37aea5932e5df85b4f1aa5cefe28f3bffb58d4d8ae40ccd040a4a7
- 4c0103c745fa6e173821035c304863d751bea9c073d19070d9ebf8685da95040
- 056b7eb0c06645e1f51ed77f4fa18a4bed47135108371a84f0482f141ae0d769
- 035ae8f389e0a4cb58428d892123bc3e3b646e4387c641e664c5552228087285
- b8bf5b607b305139db81c48e96010a67768488b01edc8c615306ed303c545b0d
- 4b9d5841d38b8658466dcaf409c34c0f6d2d1f9ecb64254391a4621465daf79b
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the link/attachments sent by unknown senders.