2025-05-12 (MONDAY): UNIDENTIFIED MALWARE INFECTION FROM EMAIL ATTACHMENT

NOTES:

• Zip files are password-protected.  Of note, this site has a new password scheme.  For the password, see the "about" page of this website.

ASSOCIATED FILES:

• 2025-05-12-IOCs-for-unidentified-malware-infection.txt.zip   1.3 kB   (1,280 bytes)
• 2025-05-12-email-with-malware-attachment-0845-UTC.eml.zip   1.5 MB   (1,490,247 bytes)
• 2025-05-12-infection-traffic-from-unidentified-malware.pcap.zip   1.7 MB   (1,668,310 bytes)
• 2025-05-12-unidentified-malware-and-artifacts.zip   4.3 MB   (4,284,287 bytes)

2025-05-12 (MONDAY): UNIDENTIFIED MALWARE INFECTION FROM EMAIL ATTACHMENT

INFECTION CHAIN:

- email --> attachment --> extracted EXE file for the malware

SELECT HEADER LINES FROM THE EMAIL:

- Received: from etsdc.com (unknown [185.222.57[.]74]); Mon, 12 May 2025 08:45:35 UTC
- Date: 12 May 2025 01:45:33 -0700
- From: Sedra Al Jundi 
- Subject: RE: Urgent: Confirmation Required for Invoice & Down Payment Details
- Message-ID: <20250512014532.63FE56B89701F86C@etsdc[.]com>
- Attachment file name: invoice_10988.xz

ATTACHMENT AND EXTRACTED MALWARE:

- SHA256 hash: 341f58943626dec0cabc58fbec4f7263125ec1ed75e0c97418cefe0ca23c6a25
- File size: 1,427,085 bytes
- File name: invoice_10988.xz
- File type: Zip archive data, at least v2.0 to extract
- File description: Email attachment, a zip archive with an .xz file extension

- SHA256 hash: f757fc452dbb8eb564081d3decfdb31ec24fc4b91e22ee8088cb5884729cc99a
- File size: 1,515,520 bytes
- File name: invoice_10988.img
- File type: ISO 9660 CD-ROM filesystem data 'KTMBE25040170'
- File description: Disk image extracted from the above zip archive

- SHA256 hash: 116c096a488f53b298d3bac99942770afd3d791ae376534f050e6e4642c2fbb4
- File size: 1,464,320 bytes
- File name: KTMBE25040170.exe
- Post-infection file location: C:\Users\[username]\AppData\Roaming\Count.exe
- File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
- File description: Windows EXE extracted from the above disk image

POST-INFECTION TRAFFIC:

- 176.65.144[.]169 port 7702 - mxcnss.dns04[.]com - encoded/encrypted TCP traffic

PERSISTENCE:

- Location: C:\Users\[username]\AppData\Roaming\Windows\Start Menu\Programs\Startup\Count.vbs
- File content: CreateObject("WScript.Shell").Run """C:\Users\[username]\AppData\Roaming\Count.exe"""

Shown above:  Screenshot of the email with the malicious attachment.

Shown above:  Traffic from an infection filtered in Wireshark, and TCP stream showing 412 kB of data sent from C2 server to the infected host.

Shown above:  TCP stream showing 1,224 kB of data sent from the infected host to the C2 server.

Shown above:  The malware persistent on an infected Windows host.

Click here to return to the main page.