Sponsored by..

Showing posts with label Slovakia. Show all posts
Showing posts with label Slovakia. Show all posts

Monday, 29 June 2015

Malware spam: "Payslip for period end date 29/06/2015" / "noreply@fermanagh.gov.uk"

This fake financial spam comes with a malicious payload:

From:    noreply@fermanagh.gov.uk [noreply@fermanagh.gov.uk]
Date:    29 June 2015 at 11:46
Subject:    Payslip for period end date 29/06/2015

Dear [redacted]

Please find attached your payslip for period end 29/06/2015

Payroll Section

Attached is a file payslip.zip which contains the malicious executable payslip.exe which has a VirusTotal detection rate of 8/55. Automated analysis [1] [2] shows a file being downloaded from:


That binary has a detection rate of just 2/55 [Malwr analysis] Also, Hybrid Analysis [1] [2] shows the following IPs are contact for what looks to be malicious purposes: (Landis Holdings Inc, US) (Panhandle Telecommunications Systems Inc., US) (ENERGOTEL a.s./ Skylan s.r.o, Slovakia) (Visionary Communications Inc., US) (Chickasaw Telephone, US) (Secom Inc , US) (Servei De Telecomunicacions D'Andorra, Andorra) (ISP Slovanet (MNET) Brezno, Czech Republic) (Orion Telekom, Serbia) (AgaNet Agata Goleniewska, Poland) (SWAN, a.s. TRIO network, Slovakia) (PP Merezha, Ukraine) (Safelink Internet, US) (Chickasaw Telephone, US) (E-Light-Telecom, Russia) (Trk Efir Ltd., Ukraine) (Orion Telekom, Serbia) (FLP Pirozhok Elena Anatolevna, Ukraine) (Southwest Oklahoma Internet, US) (Subnet LLC, Russia) (TRIOLAN / Content Delivery Network Ltd, Ukraine) (PSINet, US) (DSi DATA s.r.o., Slovakia) (Private Enterprise Radionet, Ukraine) (Moldtelecom LIR, Moldova) (Visionary Communications Inc., US)

I am unable to determine exactly what the payload is on this occassion.

Recommended blocklist:


Wednesday, 24 June 2015

Malware spam: "Considerable law alternations" / "excerptum_from_the_implemented_rule.zip" / "Pamela Adams"

This fake legal spam comes with a malicious payload:
Date: Wed, 24 Jun 2015 22:04:09 +0900
Subject: Considerable law alternations

Pursuant to alternations made to the Criminal Code securities have to be reestimated.
Described proceeding is to finish until April 2016.
However shown levy values to be settled last in this year.
Please see the documents above  .
Pamela Adams
Chief accountant

In the sample I saw there was an attachment named excerptum_from_the_implemented_rule.zip containing a malicious executable excerptum_from_the_implemented_act.exe which has a VirusTotal detection rate of 2/55.

Automated analysis tools [1] [2] [3] show malicious traffic to the following IPs: (C2NET Przno, Czech Republic) (Clarity Telecom LLC / PrairieWave, US) (Radionet, Ukraine) (Safelink Internet , US) (Orion Telekom, Serbia) (SWAN, a.s. TRIO network, Slovakia) (Rostelecom / VolgaTelecom, Russia) (Telekom Srbija, Serbia)

The Malwr report and Hybrid Analysis report indicate a couple of  dropped files, gebadof.exe (VT 2/55 - identical to the initial file) and qppwkce.exe (VT 3/55). This malware appears to be a combination of the Upatre downloader and Dyre banking trojan.

Recommended blocklist: