Sponsored by..

Friday, 19 June 2015

Malware spam: "New instructions" / "instructions_document.exe"

This rather terse spam comes with a malicious payload:
From:    tim [tim@thramb.com]
Date:    19 June 2015 at 16:40
Subject:    New instructions

New instructions payment of US banks, ask to read

Attached is an archive file with the somewhat unusual name of instructions.zip size=19811 which contains a malicious executable named instructions_document.exe.

The VirusTotal analysis indicates that this is the Upatre download [detection rate 3/57]. Automated analysis tools [1] [2] [3] [4] show traffic to:

93.93.194.202:13222/C21/UEQUILABOOMBOOM/0/51-SP3/0/MEBEFEBLGBEID

which is an IP operated by Orion Telekom in Serbia, and also 66.196.63.33:443 which is Hamilton Telecommunications in the US. A characteristic of this generation of Upatre is that it sends traffic to icanhazip.com which while not malicious in itself is quite a good indicator of infection.

In all cases I have seen, Upatre drops the Dyre banking trojan, but I have been unable to obtain a sample.

Recommended blocklist:
93.93.194.202
66.196.63.33

MD5s:
329a2254cf4c110f3097aafdaa50c82a


1 comment:

Asdf ASDF said...

Hi Conrad, thank you for this post and the blog in general. I took your sample and extracted its configuration; apart from 66.196.63.33 there are 49 other download targets. I put them on Pastebin.


Almost all of them are still active as of now and deliver the Dyre payload. All payloads are the same and decrypt to the sample ad931a78fd807e691a883cb10493f59d. You find the links to the Virustotal and Malwr scans in the Pastebin. I made the the Malwr scan public, so you should be able to download the payload from there if interested, otherwise I can also upload it for you.