Necurs botnet sending out malspam which contains a IQY file attachment. Malware Traffic Analysis and My Online Security have already reported on this malspam and report that the payload is FlawedAmmyy RAT.
Date/time:
2018-05-25T14:28:11
Sender IP: 203.80.171.250
Shodan.io/Censys.io for lasthop(s):
https://www.shodan.io/203.80.171.250
https://www.censys.io/ipv4/203.80.171.250
Headers received:
from [203.80.171.250] (unknown [203.80.171.250]) by internal (Postfix) with ESMTP id 380A862BD2 for redacted@email; Fri, 25 May 2018 14:28:23 +0000 (UTC)
Helo:
203.80.171.250
Headers x-mailer:
none
Subject line(s):
Unpaid invoice [ID:756974615]
Message Body:
“”
Attachments:
Name: 756974615.iqy
MD5: d2a63814440f8d054d78b03b48f7a3df
SHA1: 093e9491d13a359fe4c84fc20b1addcaeac1590f
SHA256: a0b80b57879ef437709bae7e2896efb7be9bd57291e64bc58d7cd13bd1de9f27
SHA512: 2519d7db4587b908f51a74ff14b61baf83010aab2c0340904ce5868b2e486da090833933b2443c6c11c430abecae53bdf33282296974a8f7ba7dd254985720cd
File type: ASCII text, with CRLF line terminators
File size: 58
Dropped executable file
sha256 C:\Users\admin\AppData\Local\Temp\cmd_.exe f4b6b0c8787ea344ce9f68f5d506a5d6cc7447114b3dcdbb6d0207372054dfe2
sha256 C:\ProgramData\Settings\wsus.exe bab69fb29c167451608f0840ede9dfb4c3c52fa0da5f38089ac7f2afbd94d867
DNS requests
clodflarechk[.]com
Connections
85.119.150.29
103.208.86.69
HTTP/HTTPS requests
hxxp://clodflarechk[.]com/
hxxp://clodflarechk[.]com/2[.]dat
hxxp://clodflarechk[.]com/1[.]dat
hxxp://clodflarechk[.]com/cloud[.]png
hxxp://clodflarechk[.]com/data[.]xls
Resources:
https://www.malware-traffic-analysis.net/2018/05/25/index.html
Sophos has it labelled as “Troj/DocDl-NZI”:
https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~DocDl-NZI/detailed-analysis.aspx
Leaked source code for Ammyy Admin turned into FlawedAmmyy RAT
https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat