Sponsored by..

Thursday 2 May 2013

"Your Wire Transfer 07532312 canceled" spam / Receipt on payment ID758-34.exe

This spam message has a malicious attachment:

Date:      Thu, 2 May 2013 03:01:38 +0400 [05/01/13 19:01:38 EDT]
From:      Federal Reserve [alerts@federalreserve.gov]
Subject:      Your Wire Transfer 07532312 canceled

The Wire transfer , recently sent from your bank account , was not processed by the FedWire.
Transfer details attached to the letter.
This service is provided to you by the Federal Reserve Board. Visit us on the web at website
To report this message as spam, offensive, or if you feel you have received this in error, please send e-mail to email address including the entire contents and subject of the message. It will be reviewed by staff and acted upon appropriately 
There is an attachment PAYMENT RECEIPT 01-05-2013.zip which in turn contains the malicious executable Receipt on payment ID758-34.exe which Comodo CAMAS reports has the following checksums:
MD5652d9919b209562bc8bb79b34e3af47d
SHA1cb90c55378366d3e8633ee1ea69f02f9e66da722
SHA2565151bd7722a5fee83edff91b6ff9b32c47ca1ac2eabad87b0639b22851453d62

VirusTotal results are just 18/46.  The Anubis report and ThreatExpert report only give limited information. The ThreatTrack report [pdf] is more detailed and reveals some botnet IPs that the malware calls back to.

No comments: