Sponsored by..

Monday 27 May 2013

Citibank spam / Statement 57-27-05-2013.zip

This fake Citibank email has a malicious attachment:

Date:      Mon, 27 May 2013 23:25:06 +0530 [13:55:06 EDT]
From:      Millard Hinton [leftoverss75@gmail.com]
Subject:      Merchant Statement

Enclosed (xlsx|Exel file|document|file) is your Citibank Paymentech electronic Merchant Billing Statement.
If you need assistance, please (contact|message|call) your Account Executive or call Merchant Services at the telephone number listed on your statement.
PLEASE DO NOT RESPOND BY USING REPLY. This (email|mail) is sent from an unmonitored email address, and your response will not be received by Citibank Paymentech.
Citibank Paymentech will not be responsible for any liabilities that may result from or relate to any failure or delay caused by Citibank Paymentech's or the Merchant's email service or otherwise. Citibank Paymentech recommends that Merchants continue to monitor their statement information regularly.
----------
Learn more about Citibank Paymentech Solutions, LLC payment processing services at Citibank.
----------
THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are proprietary and confidential information intended only for the use of the recipient(s) named above. If you are not the intended recipient, you may not print, distribute, or copy this message or any attachments. If you have received this communication in error, please notify the sender by return e-mail and delete this message and any attachments from your computer. 

The attachment Statement 57-27-05-2013.zip contains a malicious executable Statement 57-27-05-2013.exe with a VirusTotal result of 12/46. The Comodo CAMAS report and Anubis report are pretty inconclusive. The ThreatTrack report [pdf] is more comprehensive some peer-to-peer traffic and accessing of the WAB. Simseer's prognosis is that this is a Zbot variant.

For the record, these are the checksums involved:
MD50bbf809dc46ed5d6c9f1774b13521e72
SHA19a50fa08e71711d26d86f34d8179f87757a88fa8
SHA25600b832b5128a7caffe8bd4a854b1e112d488acb37f3a787245d077ae0d106400

No comments: