2014-08-01 - PHISHING EMAIL - SUBJECT: DEBT

ASSOCIATED FILES:

 

TODAY'S PHISHING EMAILS

SCREENSHOTS:

 

 

MESSAGE TEXT (FIRST PHISHING EMAIL):

From: "Donya" <kontakt@poczta-gdansk.pl>
Subject: debt
Date: August 1, 2014 at 4:24:01 AM GMT
To: undisclosed-recipients:;
Reply-To: "Donya" <killergirl3676611@lycos.de>

You asked for information about our updated requisites for repayment.
See details in the attached file can be.

Attachment: Payment.zip (161 KB)

 

MESSAGE TEXT (SECOND PHISHING EMAIL):

From: "Bruna" <aperez>
Subject: Re: details
Date: August 1, 2014 at 4:42:51 AM GMT
Reply-To: "Bruna" <gruis.allverwandter@16098.orkanspaltung.de>

You asked for information about our updated requisites for repayment.
Details in the enclosure.

Attachment: Payment.zip (161 KB)

 

PRELIMINARY MALWARE ANALYSIS

FILE ATTACHMENT FROM BOTH EMAILS:

File name:  Payment.zip
File size:  156.9 KB ( 160655 bytes )
MD5 hash:  4e29b73523bfef83660badd169622aca
Detection ratio:  0 / 54
First submission:  2014-07-31 22:36:39 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4e6f47b5c0a15ed9e8e29fca04ef8dc6eba741ecf5e9274655debdfa8fa7350b/analysis/

 

EXTRACTED WORD DOCUMENT:

File name:  Payment.doc
File size:  355.0 KB ( 363520 bytes )
MD5 hash:  6eff822dff0d385321d2bacef4537b1c
Detection ratio:  0 / 53
First submission:  2014-08-01 13:34:03 UTC
VirusTotal link:  https://www.virustotal.com/en/file/12a8f8b09a1952404d8e97fbbe9a8e23941af4298f57948f7b877f6fdb9298da/analysis/

 

FOLLOW-UP MALWARE

File name:  u.exe
File size:  480.0 KB ( 491520 bytes )
MD5 hash:  fa936019d39549ccbb22a05724fb1720
Detection ratio:  6 / 54
First submission:  2014-08-01 02:58:51 UTC
VirusTotal link:  https://www.virustotal.com/en/file/992a5ffa1a51492198ccba2a2351640859433a81ab24bafdb92b3b60066e6a9c/analysis/
Totalhash link:  http://totalhash.com/analysis/a2c1d6a6533e63f4830854020742f52fd3192ce0

 

TRAFFIC FROM THE MALWARE

MALICIOUS WORD DOCUMENT CALLS FOR FOLLOW-UP MALWARE:

 

SANDBOX ANALYSIS ON FOLLOW-UP MALWARE:

 

SNORT EVENTS ON THE SANDBOX ANALYSIS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.