Date: Tue, 5 Nov 2013 08:28:30 -0500 [08:28:30 EST]Attached is a file ACAS1104201336289204PARA7747.zip which in turn contains an executable ACAS11042013.exe which has a VirusTotal detection rate of 7/46. Automated analysis [1] [2] shows an attempted connection to slowdating.ca on 69.64.39.215 (Hosting Solutions International, US). There are several legitimate sites on this server, however it is possible that the server itself is compromised.
From: "Paychex, Inc" [paychexemail@paychex.com]
Subject: ACH Notification : ACH Process End of Day Report
Attached is a summary of Origination activity for 11/04/2013 If you need assistance
please contact us via e-mail at paychexemail@paychex.com during regular business hours.
Thank you for your cooperation.
The malware drops several files, including this one with a detection rate of 4/46 that also calls home to the same domain [1] [2] and a payload file with another low detection rate of 5/46 that rummages through the system [1] [2]. The payload appears to be a Zbot variant.
No comments:
Post a Comment