Sponsored by..

Tuesday 30 April 2013

"Your Wire Transfer 82932922 canceled" spam / Payment reeceipt.exe / 78.139.187.6

This fake wire transfer spam comes with a malicious attachment:

Date:      Tue, 30 Apr 2013 15:27:44 -0500 [16:27:44 EDT]
From:      Federal Reserve [alerts@federalreserve.gov]
Subject:      Your Wire Transfer 82932922 canceled

The Wire transfer , recently sent from your bank account , was not processed by the FedWire.
Transfer details attached to the letter.
This service is provided to you by the Federal Reserve Board. Visit us on the web at website
To report this message as spam, offensive, or if you feel you have received this in error, please send e-mail to email address including the entire contents and subject of the message. It will be reviewed by staff and acted upon appropriately 

In this case there is an attachment PAYMENT RECEIPT 30-04-2013-GBK-75.zip which contains a malicious executable crafted to look like a Word document called Payment reeceipt.exe . This executable has a so-so VirusTotal detection rate of 29/46.

The malware has the following checksums according to Comodo CAMAS:
Size371712
MD50a3723483e06dcf7e51073972b9d1ef3
SHA1293735a9fdc7e786b12c2ef92f544ffc53a0a0e7
SHA2560eb5dd62e32bc6480bae638967320957419ba70330f0b9ad5759c2d3f25753dd

Anubis has a pretty detailed report of what this malware does. In particular, you might want to monitor network traffic to and from 78.139.187.6 (Caucasus Online, Georgia) which seems to be a C&C server. This IP has also been seen here. There are several other IPs involved, but these look like DSL subscribers with dynamic address, so probably a part of a botnet. For the sake of completeness they are:

64.231.249.250
69.183.226.70
78.139.187.6
81.133.189.232
123.237.234.67


No comments: