2020-09-30 - Qakbot malspam example

1. Received: from [212.227.17.13] ([212.227.17.13:41711] helo=mout.kundenserver.de)
2. by [removed] (envelope-from <legendre@handirect.com>)
3. (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384
4. subject="/C=DE/O=1&1 Internet SE/ST=Rheinland-Pfalz/L=Montabaur/CN=mout.kundenserver.de")
5. id 78/C3-21529-D1AE47F5; Wed, 30 Sep 2020 16:27:10 -0400
6. Received: from localhost ([4.35.204.146]) by mrelayeu.kundenserver.de
7. (mreue109 [212.227.15.184]) with ESMTPA (Nemesis) id 1MYNW8-1jtNs033xq-00VMaP
8. for <admin@malware-traffic-analysis.net>; Wed, 30 Sep 2020 22:27:08 +0200
9. From: "[name removed]" <legendre@handirect.com>
10. Date: Wed, 30 Sep 2020 23:27:07 +0300
11. To: admin@malware-traffic-analysis.net
12. Subject: =?UTF-8?B?UmU6IFJlOiBQcm9qZWN0IHN0YXR1cyB1cGRhdGU=?=
13. MIME-Version: 1.0
14. X-Mailer: Microsoft Outlook 16.0
15. Content-Type: multipart/mixed; boundary=0e31d473551c1c25580b50a573e5690e
16. Message-ID: <1MhUDl-1ktDot1fOd-00eg5o@mrelayeu.kundenserver.de>
17.  
18. --0e31d473551c1c25580b50a573e5690e
19. Content-Type: text/html; charset=utf-8
20.  
21. <p>Good morning,</p><p>Check the document and let me know what you think about it.</p><p><br />Thanks.</p><br><blockquote type="cite">[email chain removed]
22.  
23.  
24. </blockquote>
25.  
26.  
27. --0e31d473551c1c25580b50a573e5690e
28. Content-Type: application/zip
29. Content-Transfer-Encoding: base64
30. Content-Disposition: attachment; filename="=?UTF-8?B?MzE5ODY3OTA5MzYuemlw?="
31.  
32. [information removed, file available at: https://app.any.run/tasks/fd4a4da2-cd02-461f-a852-00431a2f33b0]
33.  
34. --0e31d473551c1c25580b50a573e5690e--
35.