{ "id": "cd323eaf-9b1d-4c62-b044-d9fa1bd35e71", "created_at": "2026-04-06T00:18:31.403285Z", "updated_at": "2026-04-10T03:28:35.406192Z", "deleted_at": null, "sha1_hash": "227eb0ace4c552f8634f02fe154d44b3de75462d", "title": "Malware-Traffic-Analysis.net - 2017-11-23 - Necurs Botnet malspam pushes \"Scarab\" ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1209461, "plain_text": "Malware-Traffic-Analysis.net - 2017-11-23 - Necurs Botnet\r\nmalspam pushes \"Scarab\" ransomware\r\nArchived: 2026-04-05 14:42:23 UTC\r\nNOTICE:\r\nThe zip archives on this page have been updated, and they now use the new password scheme.  For the new\r\npassword, see the \"about\" page of this website.\r\nASSOCIATED FILES:\r\n2017-11-23-Necurs-Botnet-malspam-pushes-Scarab-ransomware.pcap.zip   164.2 kB (164,157 bytes)\r\n2017-11-23-Necurs-Botnet-malspam-tracker.csv.zip   1.0 kB (996 bytes)\r\n2017-11-23-files-from-Necurs-Botnet-malspam-and-Scarab-ransomware-infection.zip   282.6 kB (282,638\r\nbytes)\r\nNOTES:\r\nNecurs Botnet malspam pushing ransomware nicknamed \"Scarab\" because encrypted files all end with the\r\nfile extension .scarab\r\nMore info at:  https://www.bleepingcomputer.com/news/security/scarab-ransomware-pushed-via-massive-spam-campaign/\r\nEMAILS\r\nShown above:  Screenshot from one of the emails.\r\nEMAIL HEADERS:\r\nhttp://malware-traffic-analysis.net/2017/11/23/index.html\r\nPage 1 of 5\n\nDate/Time: Thursday 2017-11-23 as early as 08:05 UTC through at least 09:01 UTC\r\nSubject:  Scanned from Canon\r\nSubject:  Scanned from Epson\r\nSubject:  Scanned from HP\r\nSubject:  Scanned from Lexmark\r\nFrom (spoofed):  copier@[recipient's email domain]\r\nAttachment name:  image2017-11-23-[random digits].7z\r\nShown above:  Attachment and extracted VBS file from one of the emails.\r\nTRAFFIC\r\nShown above:  Traffic from the infection filtered in Wireshark.\r\nURLS FROM THE EXTRACTED VBS FILES:\r\n98.124.251[.]75 port 80 - atlantarecyclingcenters[.]com - GET /JHgd476?\r\nhttp://malware-traffic-analysis.net/2017/11/23/index.html\r\nPage 2 of 5\n\n66.36.173[.]111 port 80 - hard-grooves[.]com - GET /JHgd476?\r\n66.36.165[.]149 port 80 - hellonwheelsthemovie[.]com - GET /JHgd476?\r\n98.124.251[.]75 port 80 - miamirecyclecenters[.]com - GET /JHgd476?\r\n5.2.77[.]79 port 80 - pamplonarecados[.]com - GET /JHgd476?\r\n185.57.172[.]213 port 80 - xploramail[.]com - GET /JHgd476?\r\nIP ADDRESS CHECK BY INFECTED HOST (NOT INHERENTLY MALICIOUS):\r\n88.99.66[.]31 port 80 - iplogger[.]co - GET /18RtV6.jpg\r\nEMAIL ADDRESS FROM THE DECRYPTION INSTRUCTIONS:\r\nsuupport@protonmail[.]com\r\nFILE HASHES\r\nFILE HASHES FOR THE ATTACHMENTS:\r\ncae7d4fda96f11ce04cde669cfdfa818c9662b321368a98d7f7ce3e437e91589 - image2017-11-23-\r\n0292531.7z\r\n1b15b60a7091223b766f7cc4868818b8e835a2301888272486a2d1ab2c427fb2 - image2017-11-23-\r\n030256.7z\r\nb2de2ea9bd7c1c1b10010f53d299564f6833d81aec7614859b4f67518fa565fb - image2017-11-23-\r\n043100.7z\r\n3958f05bc95d4de0cb5e73b7cb3e6df65e9c6f12162b62b9fcc8770e1d877cad - image2017-11-23-\r\n9164504.7z\r\ne6215a0e9f9c30c43a453503e00acba44bd0f18eb52d187d00cadf6165e23fe6 - image2017-11-23-939559.7z\r\nFILE HASHES FOR THE EXTRACTED VBS FILES:\r\nfd072a6c2fe9187f799a27e21c27fc67dd2f145ccbc0faa917f37469d0d26974 - image2017-11-22-\r\n5379282.vbs\r\n25ee9aaf6fd29574f3b897c85286a201b0ba4f946956bf0ea6ec0a9c29c6b248 - image2017-11-22-\r\n6133563.vbs\r\n39e61f8fff8b7b6a36aa54b4046df218d87ab370edf457b75d6c2547577c6b78 - image2017-11-22-\r\n7374139.vbs\r\n9bd4009931ca1182763ca0acacd74fc11917d04fe7c2459bc4e1e3b3d88eae5d - image2017-11-22-\r\n9088289.vbs\r\n281c8ccf6b1a0d983b696c656883da14a43fc4408c92d8012f08fba144de121a - image2017-11-22-\r\n9603833.vbs\r\nDOWNLOADED \"SCARAB\" RANSOMWARE:\r\nSHA256 hash:  7a60e9f0c00bcf5791d898c84c26f484b4c671223f6121dc3608970d8bf8fe4f\r\nFile size:  365,056 bytes\r\nFile location:  C:\\Users\\[username]\\AppData\\Local\\Temp\\[random string].exe\r\nhttp://malware-traffic-analysis.net/2017/11/23/index.html\r\nPage 3 of 5\n\nIMAGES\r\nShown above:  Desktop of an infected Windows host.\r\nhttp://malware-traffic-analysis.net/2017/11/23/index.html\r\nPage 4 of 5\n\nShown above:  An example of the encrypted files.\r\nShown above:  Registry key updated to display the ransom note on reboot.\r\nClick here to return to the main page.\r\nSource: http://malware-traffic-analysis.net/2017/11/23/index.html\r\nhttp://malware-traffic-analysis.net/2017/11/23/index.html\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "http://malware-traffic-analysis.net/2017/11/23/index.html" ], "report_names": [ "index.html" ], "threat_actors": [ { "id": "9099912b-a00a-4afb-8294-c6d35af421a1", "created_at": "2023-01-06T13:46:39.338108Z", "updated_at": "2026-04-10T02:00:03.292102Z", "deleted_at": null, "main_name": "Scarab", "aliases": [], "source_name": "MISPGALAXY:Scarab", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e7d03ac8-7d6f-4ea0-83a9-10dff2ea1486", "created_at": "2022-10-25T16:07:24.158325Z", "updated_at": "2026-04-10T02:00:04.884772Z", "deleted_at": null, "main_name": "Scarab", "aliases": [ "UAC-0026" ], "source_name": "ETDA:Scarab", "tools": [ "Scieron" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434711, "ts_updated_at": 1775791715, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/227eb0ace4c552f8634f02fe154d44b3de75462d.pdf", "text": "https://archive.orkl.eu/227eb0ace4c552f8634f02fe154d44b3de75462d.txt", "img": "https://archive.orkl.eu/227eb0ace4c552f8634f02fe154d44b3de75462d.jpg" } }