2014-07-30 - PHISHING EMAIL - SUBJECT: FW : PAYMENT SLIP

ASSOCIATED FILES:

 

TODAY'S PHISHING EMAIL

 

MESSAGE TEXT:

Subject: FW : Payment Slip
Date: Wed, 30 Jul 2014 11:20:50 UTC
From: icegate@orientm.com
To: undisclosed-recipients:;

Good Day,

Please find attached our deposit payment as authorized by our bank below.
Kindly confirm and start mass production asap.

Looking forward to your immediate response.

Regards,

John Candy
Senior Account Manager.

--------- Original Message --------
From: HSBC Advising Service
To: alex.cheng@technomix.com.hk <alex.cheng@technomix.com.hk>

Subject: Payment Advice - Advice Ref:[G62315968954] / Priority payment /
Customer Ref:[DOC 24678]

Date: 30/06/14 12:00

Dear Sir/Madam,The attached payment advice is issued at the request of our
customer. The advice is for your reference only.

Yours faithfully,
Global Payments and Cash

Management HSBC ***********************************************
Last message received on 6/30

 

PRELIMINARY MALWARE ANALYSIS

FILE ATTACHMENT:

File name:  PAYMENT SLIP SZOETISW KARAMEN VETINAM.7z
File size:  464.2 KB ( 475331 bytes )
MD5 hash:  14968d88c49db1464c17f34da11bdc37
Detection ratio:  11 / 53
First submission:  2014-07-30 11:27:37 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c39af73d982ada606d6bf045822b80a2b02a838c0b3e49f86cb40667d5c8c0d9/analysis/

 

EXTRACTED MALWARE:

File name:  PAYMENT SLIP SZOETISW KARAMEN VETINAM.exe
File size:  480.0 KB ( 491520 bytes )
MD5 hash:  fd621bbd1a7fcf6d84210e11ac16a310
Detection ratio:  13 / 54
First submission:  2014-07-30 12:35:02 UTC
VirusTotal link:  https://www.virustotal.com/en/file/744433f38a6aa3b8377f0b7b21b7d4cdb1797d81445ed1ad8fe68866a79b928d/analysis/

 

TRAFFIC FROM THE SANDBOX ANALYSIS

HTTP GET REQUESTS:

 

 

SNORT EVENTS

Emerging Threats and ETPRO signature hits from Sguil after using tcpreplay on Security Onion:

Sourcefire VRT signature reading the PCAP with Snort 2.9.6.0 on Ubuntu 14.04 LTS:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.