Sponsored by..

Friday, 26 July 2013

Bank of America "Your transaction is completed" spam / payment receipt 26-07-2013.zip

This fake Bank of America spam has a malicious attachment:

Date:      Fri, 26 Jul 2013 15:50:32 +0200 [09:50:32 EDT]
From:      impairyd04@gmail.com
Subject:      Your transaction is completed

Transaction is completed. $09681416 has been successfully transferred.
If the transaction was made by mistake please contact our customer service.
Payment receipt is attached.

*** This is an automatically generated email, please do not reply ***
Bank of America, N.A. Member FDIC. Equal Housing Lender Opens in new window
© 2013 Bank of America Corporation. All rights reserved  

There is an attachment payment receipt 26-07-2013.zip which in turn contains the executable file payment receipt 26-07-2013.exe. This appears to be a Zbot variant with a pretty low detection rate of 9/46 at VirusTotal.

The Malwr report is the most detailed for this sample, and Anubis also has some useful information. Of note is that there is network traffic to the following IPs that seem to be pretty common for this Zbot / Zeus variant:

In the first version of this list I accidentally included the following Google IPs. Don't block these:

No comments: