# 2018-01-04 - MALSPAM PUSHING PCRAT/GH0ST **malware-traffic-analysis.net/2018/01/04/index.html** ASSOCIATED FILES: [Zip archive of the pcap: 2018-01-04-PCRat-gh0st-traffic.pcap.zip 1.7 kB (1,681 bytes)](http://www.malware-traffic-analysis.net/2018/01/04/2018-01-04-PCRat-gh0st-traffic.pcap.zip) 2018-01-04-PCRat-gh0st-traffic.pcap (5,009 bytes) Zip archive of the email, malware, and artifacts: 2018-01-04-PCRat-Gh0st-emailmalware-and-artifacts.zip 701 kB (700,875 bytes) 2018-01-04-malspam-pushing-PCRat-Gh0st-1813-UTC.txt (256,098 bytes) RasTls.dat (149,816 bytes) RasTls.dll (45,056 bytes) RasTls.exe (107,848 bytes) Very beautiful.exe (393,216 bytes) Very beautiful.zip (185,607 bytes) NOTES: The zip attachment is password-protected with 123 as stated in the malspam. Post-infection activity triggered an EmergingThreats alert for PCRat/Gh0st CnC traffic ## WEB TRAFFIC BLOCK LIST Indicators are not a block list. If you feel the need to block web traffic, I suggest the following URLs and domain: www.etybh.com ## EMAIL ----- _Shown above: Screenshot of the email._ EMAIL INFORMATION: Date: Wednesday, 2018-01-03 at 18:13 UTC Subject: Very beautiful From: howie9ball@aol.com To: [a very long list of recipients] Message-Id: <160bd3a471c-171d-2842@webjas-vac003.srv.aolmail.net> Attachment name: Very beautiful.zip ----- _Shown above: Malware extracted from the zip attachment._ ## TRAFFIC _Shown above: Infection traffic in Wireshark._ ----- ASSOCIATED TRAFFIC: 98.126.223.218 port 900 - www.etybh.com - PCRat/Gh0st CnC traffic ## MALWARE ZIP ARCHIVE FROM THE MALSPAM: SHA256 hash: [067d5729b4787fc667c061b027625be4273806c64beacfb6877fc7f182f9ed37](https://www.virustotal.com/#/file/067d5729b4787fc667c061b027625be4273806c64beacfb6877fc7f182f9ed37/detection) File size: 185,607 bytes File name: Very beautiful.zip MALICIOUS EXECUTABLE EXTRACTED FROM THE ZIP ARCHIVE: SHA256 hash: [423f4c1f9ba4f184ff6e82db4f01420feb7b76693bdece6402fc2157c0c2f946](https://www.reverse.it/sample/423f4c1f9ba4f184ff6e82db4f01420feb7b76693bdece6402fc2157c0c2f946?environmentId=100) File size: 393,216 bytes File name: Very beautiful.exe EXECUTABLE FROM THE INFECTED WINDOWS HOST: SHA256 hash: [f9ebf6aeb3f0fb0c29bd8f3d652476cd1fe8bd9a0c11cb15c43de33bbce0bf68](https://www.virustotal.com/#/file/f9ebf6aeb3f0fb0c29bd8f3d652476cd1fe8bd9a0c11cb15c43de33bbce0bf68/detection) File size: 107,848 bytes File location: C:\Microsoft\TEMP\Networks\Connections\Sementech\sementech\RasTls.exe NOTE: This is apparently a legitimate file abused by various Trojans for DLL sideloading. DLL FROM THE INFECTED WINDOWS HOST: SHA256 hash: [a392f8f96ffc53978b177d844ef17adb09c6329997f29334e5c2029e8f5f18e8](https://www.virustotal.com/#/file/a392f8f96ffc53978b177d844ef17adb09c6329997f29334e5c2029e8f5f18e8/detection) File size: 45,056 bytes File location: C:\Microsoft\TEMP\Networks\Connections\Sementech\sementech\RasTls.dll WINDOWS REGISTRY ENTRY FOR PERSISTENCE: Registry Key: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Value name: Load Value Type: REG_SZ Value Data: cmd /c C:\Microsoft\TEMP\Networks\Connections\Sementech\sementech\RasTls.exe ----- ## IMAGES _Shown above: TCP stream from the post-infection traffic._ _[Shown above: Alert from Sguil on the post-infection traffic in Security Onion using Suricata](https://securityonion.net/)_ _[and the EmergingThreats ruleset.](http://docs.emergingthreats.net/bin/view/Main/WebSearch)_ _Shown above: Registry key and associated files on the infected Windows host_ ----- _Shown above: Apparently, a legitimate file abused by various malware families for DLL side-_ _loading._ ## FINAL NOTES Once again, here are the associated files: [Zip archive of the pcap: 2018-01-04-PCRat-gh0st-traffic.pcap.zip 1.7 kB (1,681 bytes)](http://www.malware-traffic-analysis.net/2018/01/04/2018-01-04-PCRat-gh0st-traffic.pcap.zip) Zip archive of the email, malware, and artifacts: 2018-01-04-PCRat-Gh0st-emailmalware-and-artifacts.zip 701 kB (700,875 bytes) ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website. [Click here to return to the main page.](http://www.malware-traffic-analysis.net/index.html) -----