From: pghaa@pghaa.orgIn this case the download location is https://www.dropbox.com/s/7n4ib0ysqnzr4un/Payment%20Details_52375.zip?dl=1 although it is likely that there are others.
To: victim@victimdomain.com
Date: 3 October 2014 11:43
Subject: victim@victimdomain.com
Thanks for shopping with us today! Your purchase will be processed shortly.
ORDER DETAILS
Purchase Number: CTV188614791
Purchase Date: 7:38 2-Oct-2014
Customer Email: victim@victimdomain.com
Amount: 4580 US Dollars
Open your payment details
Please click the link provided above to get more details about your order.
The download file is Payment Details_52375.zip containing a malicious executable PAYMENT DETAILS.PDF .scr_56453.exe which has a VirusTotal detection rate of 5/55. At the moment, automated analysis tools [1] [2] [3] are inconclusive as to what it does.
UPDATE: it is also being distributed via
https://www.dropbox.com/s/9an3ggp98xu7ql5/Transaction_85523.zip?dl=1
https://www.dropbox.com/s/8uoheamseo98nse/Information_J90Z4.zip?dl=1
https://www.dropbox.com/s/fvogsazezmv00hw/Transaction_G287O.zip?dl=1
https://www.dropbox.com/s/42b7binqmk8auu9/Payment_Details_A0869.zip?dl=1
https://www.dropbox.com/s/okag3y2qtg12vg7/Payment_Details_R435C.zip?dl=1
2 comments:
This email in various forms using multiple subject lines has been observed since at least July. I would love to know what the malware is actually doing. It's also used copy.com in addition to dropbox.
We see various connections, in particular POST 5.63.155.195:8080/home.php
Post a Comment