Date: Wed, 7 May 2014 14:06:46 +0700 [03:06:46 EDT]I guess the psychology here is that if you can't tell a convincing lie, then tell a short one. The attachment is emailinvoice.069911.zip which in turn contains a malicious executable emailinvoice.899191.exe which has a VirusTotal detection rate of 5/52.
From: Accounts Dept [menopausaln54@jaygee.co.uk]
Subject: Email invoice: 1888443
This email contains an invoice file attachment
Automated analysis tools of this binary [1] [2] [3] shows that it downloads a further component from one of the following locations:
pgalvaoteles.pt/111
axisbuild.com/111
sadiqtv.com/111
hostaldubai.com/111
nbook.far.ru/111
relimar.com/111
webbook.pluto.ro/111
bugs.trei.ro/111
gaunigeria.com/111
rubendiaz.net/111
adventiaingenieria.es/111
assurances-immobilier.com/111
markus.net.pl/111
www.mrpeter.it/111
inmobiliariarobinson.com/111
cigelecgeneration.com/111
hbeab.com/111
lefos.net/111
pk-100331.fdlserver.de/111
decota.es/111
lefos.net/111
krasienin.cba.pl/111
rallyeair.com/111
camnosa.com/111
caclclo.web.fc2.com/111
beautysafari.com/111
www.delytseboer.com/111
atelierprincesse.web.fc2.com/111
czarni.i15.eu/111
gogetgorgeous.com/111
This "111.exe" binary has an even lower VirusTotal detection rate of 3/51. Automated analysis of this shows [1] [2] [3] shows the malware installs itself deeply into the target system.
There is a further dowload of a malicious binary from files.karamellasa.gr/tvcs_russia/2.exe which has a detection rate of 5/50 and identifies as a variant of Zeus. This creates fake svchost.exe and csrss.exe executables on the target system [1] [2] [3].
Recommended blocklist:
pgalvaoteles.pt
axisbuild.com
sadiqtv.com
hostaldubai.com
nbook.far.ru
relimar.com
webbook.pluto.ro
bugs.trei.ro
gaunigeria.com
rubendiaz.net
adventiaingenieria.es
assurances-immobilier.com
markus.net.pl
www.mrpeter.it
inmobiliariarobinson.com
cigelecgeneration.com
hbeab.com
lefos.net
pk-100331.fdlserver.de
decota.es
lefos.net
krasienin.cba.pl
rallyeair.com
camnosa.com
caclclo.web.fc2.com
beautysafari.com
www.delytseboer.com
atelierprincesse.web.fc2.com
czarni.i15.eu
gogetgorgeous.com
files.karamellasa.gr
No comments:
Post a Comment