Timestamps – February 2017 to March 9-3-2017 + older ones on the same pattern from May 2016
Continuing the line on sloppy email scams, a specific type is hitting one of my addresses. Spam is received regularly from the same addresses, having the same format. The attachments are created Matryoshka style, like in a previous post (archive in archive , finally containing a JS or DOC file).
The surprising things is that, even though they are very poorly executed :
- The spam filter is very bad at identifying it though. All of this is getting in my inbox.
- Over a 10 months period i’ve receiving the same kind of things from the same email address (different IPs though)
Sender email
Sender IP address (from 2017)
31.162.17.160
31.163.135.36
111.240.129.119
Sender IP address (from 2016)
104.233.89.240
176.36.28.239
91.232.91.185
188.244.179.23
Sha256
25be33f20611b78b69f3960a8825f62300c875e8b09425c931074b2fd58f7c18
fe05f8e94d195e25700ff8d249ebd8656fa57f4e9855dc3a7b327962f33de208
1964357938fbc743634289137ec7838df33f593251e9730c887e89f599c5ee8b
After sandbox analysis, one of them seems to be still working as a Cerber dropper, the other seems defunct
https://www.hybrid-analysis.com/sample/1964357938fbc743634289137ec7838df33f593251e9730c887e89f599c5ee8b?environmentId=100
https://www.hybrid-analysis.com/sample/fe05f8e94d195e25700ff8d249ebd8656fa57f4e9855dc3a7b327962f33de208?environmentId=100
Full IOC list on https://otx.alienvault.com/pulse/58c43ad8eda0e40f34ddb8c1/