Sponsored by..

Tuesday 21 May 2013

Delivery_Information_ID-000512430489234.zip

The file Delivery_Information_ID-000512430489234.zip is being promoted by a spam run (perhaps aimed at Italian users, although all the hosts are German). I don't have a copy of the email itself, but my best guess is that it is a fake package delivery report.

So far I have identified three download locations for the malicious ZIP file:
[donotclick]www.interapptive.de/get/Delivery_Information_ID-000512453420234.zip
[donotclick]www.vankallen.de/get/Delivery_Information_ID-000512453420234.zip
[donotclick]www.haarfashion.de/get/Delivery_Information_ID-000512430489234.zip

The ZIP file decompresses to Delivery_Information_ID-000512453420234.Pdf_______________________________________________________________.exe (note all those underscores!) which has a VirusTotal detection rate of 23/47 and has the following checksums:

MD5: 791a8d50acfea465868dfe89cdadc1fc
SHA1: be67a7598c32caf3ccea0d6598ce54c361f86b0a
SHA256: 9ae8fe5ea3b46fe9467812cbb2612c995c21a351b44b08f155252a51b81095d7

The Anubis report is pretty inconclusive but ThreatTrack reports [pdf] some peer-to-peer traffic and also some rummaging around the Window Address Book (WAB).

Update:  sandrochka.de appears to be hosting the malicious ZIP as well.

1 comment:

Danny said...

I've been tracking this too. I have the same Kuluoz trojan from 3 sites over the last few days requesting /img/get.php
http://urlquery.net/search.php?q=/img/get.php?info=&type=string&start=2013-05-07&end=2013-05-22&max=50
The malware calls back out to a long list of IP's and the C2 drops Fake AV and Asprox.

Fun fun fun!