2014-07-16 - PHISHING EMAIL - SUBJECT: HOOVERS ORDER (URGENT!)

ASSOCIATED FILES:

 

TODAY'S PHISHING EMAIL

Saw the following email today:

 

MESSAGE TEXT:

From: Un Saldo <hooversconglomerate@outlook.com>
Reply-To: <hooversconglomerate@outlook.com>
Date: Wednesday, July 16, 2014 at 22:13 UTC
To: <hooversconglomerate@outlook.com>
Subject: Hoovers Order (Urgent!)

--
Hello

Please send us a PI for the following models as attached Purchase Order

Also inform us how many pcs for a full 5*40ft containers so we can add
more as customers request.

We have been trying to contact your colleague who has been corresponding
with our company about the confirmation but no
response.

Kindly check and advise asap

I await for your response.

Best Regards,
Un Saldo
Hoovers Ltd
hooversconglomerate@outlook.com
+34 945 891 234

 

PRELIMINARY MALWARE ANALYSIS

FILE ATTACHMENT

File name:  PO.zip
File size:  377.9 KB ( 386946 bytes )
MD5 hash:  5b324144630ee60d4c7e6999bc7f915e
Detection ratio:  2 / 54
First submission:  2014-07-16 23:03:23 UTC
VirusTotal link:  https://www.virustotal.com/en/file/31fa3b4f7eef1df37003199d3e9b080b8e4fb2a1d20ce261fafd59cb88d95079/analysis/

 

EXTRACTED MALWARE:

File name:  PO
File size:  420.9 KB ( 431001 bytes )
MD5 hash:  9aff15987eb75f2c672acb7574c3eb1c
Detection ratio:  2 / 47
First submission:  2014-07-16 23:04:17 UTC
VirusTotal link:  https://www.virustotal.com/en/file/47c20ae8c768c8169f9e49d7dd715a8de03de23d6449ea3f077094a76cd7c4e6/analysis/
Malwr link:  https://malwr.com/analysis/YmQ2NDBjNDUyNmNiNGMzOTkzMjQwN2Q1NzZkMTA4NzM/


Added an .exe file extension on the file to show the proper icon.

 

TRAFFIC FROM THE MALWR.COM SANDBOX ANALYSIS

HTTP GET REQUESTS:

 

INFO ON THE MALWARE CALLBACK DOMAIN:

 


Viewing the malware callback domain name in a web browser.

 

SNORT EVENTS

Emerging Threats and ETPRO signature hits from Sguil after using tcpreplay on Security Onion:

NOTE: tcpreplay didn't send all of the packets when I tried playing back the malwr.com pcap, so these may not be all the Emerging Threats signatures.

 

Sourcefire VRT signature reading the PCAP with Snort 2.9.6.0 on Ubuntu 14.04 LTS:

 

FOLLOW-UP NOTES

The Sourcefire VRT signatures above all reference the following malware submitted to Virus Total in October 2013:

MD5 hash:  f2461d578f5948ac803d03f40100e240
File size:  189.2 KB ( 193749 bytes )
Detection ratio:  41 / 53
First submission:  2013-10-25 21:10:04 UTC
http://virustotal.com/en/file/2EE81DFCB16F6E9D57CBD114BF16E4237572D1356220BC58B74306841A0D0AE4/analysis/
https://malwr.com/analysis/YmQ2NDBjNDUyNmNiNGMzOTkzMjQwN2Q1NzZkMTA4NzM/

 

The same malware was submitted to Malwr.com almost 5 months later, and it shows traffic patterns similar to today's malware sample:

Both blessmyhustles.com and today's callback domain oluwaisinvolve.info have the same registrant email address in their whois record: salesadvert19@gmail.com

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.