2014-08-13 - PHISHING EMAILS WITH LINKS TO MALWARE HOSTED ON COPY.COM

ASSOCIATED FILES:

 

NOTES:

 

PHISHING EMAILS NOTED:

 

EXAMPLES OF THE PHISHING EMAILS

SCREENSHOTS:

 

MESSAGE TEXT:

-----Original Message-----
From: "jay@suttonvt.net" <jay@suttonvt.net>
Date: Wednesday, August 13, 2014 at 3:04 UTC
To:
Subject: You have got a money [email address]

Coby Short has sent a money to you.

Get an order file

Please visit the link given above to see more details about this issue.

Regards,
BB&T Corporation.

 

-----Original Message-----
From: "chrisbarber@brysanutility.com" <chrisbarber@brysanutility.com>
Date: Wednesday, August 13, 2014 at 3:05 UTC
To:
Subject: You have received a money [email address]

You have got a funds from Lawrence Hemmings.

View the invoice

Please hit the link provided above to have more info about this issue.

Regards,
Cathay General Bancorp.

 

-----Original Message-----
From: "compras.rosana@santamarcelina.org" <compras.rosana@santamarcelina.org>
Date: Wednesday, August 13, 2014 10:16 UTC
To:
Subject: You have got a payment [email address]

Steel Underwood has sent a money to you.

Open an order file

Please click the link provided at the top to see more details about this issue.

Regards,
Allied Irish Banks.

 

MALWARE LINKS FROM THE EXAMPLES

 

PRELIMINARY MALWARE ANALYSIS

File name:  Payment_55259.scr
File size:  201.8 KB ( 206634 bytes )
MD5 hash:  b02187bf1c20c07b4191f0a779e4b754
Detection ratio:  14 / 54
First submission:  2014-08-13 14:38:50 UTC
VirusTotal link:  https://www.virustotal.com/en/file/6d52c9e17f0c5e5140fa3cd761a107889580a42263c80b17067fe66e5dcb105f/analysis/

 

File name:  Order_43114.scr
File size:  238.2 KB ( 243871 bytes )
MD5 hash:  174a0920f66c78f19d2eb61fed94bf8c
Detection ratio:  13 / 54
First submission:  2014-08-13 08:28:57 UTC
VirusTotal link:  https://www.virustotal.com/en/file/637b44ef49d87e54409e7b13a785969d8865a0b5a4ca1a2f1178e83b7913a18c/analysis/

 

File name:  Ivoice_45852.scr
File size:  184.6 KB ( 189029 bytes )
MD5 hash:  d871b820be94edcaa9e70a0661fecbc5
Detection ratio:  9 / 54
First submission:  2014-08-13 14:10:38 UTC
VirusTotal link:  https://www.virustotal.com/en/file/af17384d15fc3e6997f0d98ea0d9c6b5b5a9dfb97bb0d76c8330ec5576b2e8f9/analysis/

 

FOLLOW-UP MALWARE:

File name:  element1208_spm2.exe
File size:  268.5 KB ( 274944 bytes )
MD5 hash:  be09f3abe7ed05b9ee658ba6d221c8c3
Detection ratio:  3 / 54
First submission:  2014-08-13 23:42:54 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4f18fea740baf9c11556e522e3cd7703e302412db9c9f2f0de8c7db3def5a850/analysis/

 

SANDBOX TRAFFIC

PAYMENT_55259.SCR:

14:45:44 UTC - 5.135.28.110 port 8080 - 5.135.28.110:8080 - POST /home.php
14:46:12 UTC - 5.135.28.110 port 8080 - 5.135.28.110:8080 - POST /home.php

 

ORDER_43114.SCR:

22:55:26 UTC - 5.135.28.110 port 8080 - 5.135.28.110:8080 - POST /home.php
22:55:29 UTC - 209.51.138.119 port 80 - fonvalores.com - GET /images/element1208_spm2.exe
22:55:43 UTC - 5.135.28.110 port 8080 - 5.135.28.110:8080 - POST /home.php
22:55:46 UTC - 209.51.138.119 port 80 - fonvalores.com - GET /images/element1208_spm2.exe
22:55:54 UTC - 5.135.28.110 port 8080 - 5.135.28.110:8080 - POST /home.php

 

IVOICE_45852.SCR:

22:55:34 UTC - 194.58.102.91 port 8000 - 194.58.102.91:8000 - POST /activation125.php
22:55:37 UTC - 209.51.138.119 port 80 - fonvalores.com - GET /images/element1208_spm2.exe
22:55:49 UTC - 194.58.102.91 port 8000 - 194.58.102.91:8000 - POST /activation125.php
22:56:15 UTC - 194.58.102.91 port 8000 - 194.58.102.91:8000 - POST /activation125.php

 

 

ELEMENT1208_SPM2.EXE:

23:45:59 UTC - 74.125.129.16 port 25 - 220 mx.google.com ESMTP v9si4604526wah.36
23:46:03 UTC - 91.223.86.185 port 80 - spm2.win32system.com - POST /cmd.php
23:46:03 UTC - 91.223.86.185 port 80 - spm2.win32system.com - GET /cmd.php

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.