File description: 7-zip archive (.7z file) attached to Korean malspam.File description: Example of Korean malspam (.eml file) pushing Gandcrab.The following are indicators associated with this infection: Shown above: Encrypted files and the ransom note on my infected Windows host. The result was a Gandcrab ransomware infection. I extracted them and ran one on a vulnerable Windows host. The attached 7-zip archive contained 3 files with different names, but they were all the same file hash, so they were the same malware.
#SPAM WITH A .7Z FILE EXTENSION WINDOWS 7#
Shown above: The email opened in Thunderbird on a Windows 7 host. Shown above: Pivoting on the attachment to find its parent email. Then I retrieved that email from VT Intelligence. I picked the most recent result and selected the relations tab, which revealed the associated malspam. The base64 string represents UTF-8 characters, where the format is name:"=?utf-8?B?=" The file names did not use ASCII characters, but were base64 encoded. The three most recent results I saw were 7-zip archives (.7z files). Shown above: Results sorted by most recent at the time of my search. Shown above: Searching and sorting in the VT Intelligence portal. After the results appeared, I sorted by the most recent submissions. This returned anything tagged as an email attachment, first seen on or after, with at least 3 vendors identifying an item as malicious. In the VT Intelligence search window, I used the following parameters: Fortunately I have access through my employer.
VT Intelligence is a subscription server, and from what I understand, it's fairly expensive. Searching for malspam attachments in VT Intelligence Let's see what the roulette wheel give us today! I acquired a recent malspam example through VirusTotal (VT) Intelligence. My version of email roulette is picking a recent item of malicious spam (malspam), running the associated email attachment in a live sandbox, and identifying the malware. For today's diary I play a game of email roulette.