2014-09-22 - PHISHING EMAIL - SUBJECT: NATWEST STATEMENT

ASSOCIATED FILES:

 

NOTES:

 

 

EXAMPLE OF THE EMAILS

SCREENSHOT:

 

MESSAGE TEXT:

Subject: NatWest Statement

NatWest Statement
View Your September 2014 Online Financial Activity Statement

Keep track of your account with your latest Online Financial Activity Statement from NatWest Bank. It's available for you to view at this secure site. Just click to select how you would like to view your statement:

View/Download as a PDF
View all EStatements

So check out your statement right away, or at your earliest convenience.

Thank you for managing your account online.
Sincerely,

NatWest Bank

Please do not respond to this e-mail. If you have any questions about this inquiry message or your NatWest Bank ®
Merchant account, please speak to a Customer Service representative at 1-800-374-2639

NatWest Bank Customer Service Department
P.O. Box 414 | 38 Strand, WC2N 5JB, London

Copyright 2014 NatWest Company. All rights reserved.

 

LINK FROM THE EMAIL:

 

PRELIMINARY MALWARE ANALYSIS

DOWNLOADED ZIP FILE:

File name:  document22092014_73327_pdf.zip
File size:  8.0 KB ( 8204 bytes )
MD5 hash:  6c8ed273b90d72126b3d80b035465b93
Detection ratio:  20 / 53
First submission:  2014-09-22 12:06:22 UTC
VirusTotal link:  https://www.virustotal.com/en/file/546d560fafbd2d346557c0bd0cdc669a8d617b068e43a154517f96597146b9a9/analysis/

 

EXTRACTED MALWARE:

File name:  document22092014_73327_pdf.exe
File size:  20.5 KB ( 20992 bytes )
MD5 hash:  2fc0fde0b9505a318e0256ec87290df0
Detection ratio:  19 / 52
First submission:  2014-09-22 11:01:31 UTC
VirusTotal link:  https://www.virustotal.com/en/file/8040c1cee63db55b348dea8f07ad42d1c78f9ed2c4ff90a9f9accffa7aba186f/analysis/

 

DROPPED MALWARE:

File name:  rrgyb.exe
File size:  404.0 KB ( 413696 bytes )
MD5 hash:  d22242741cf4ae2ef2a5fde73eb0fbd7
Detection ratio:  11 / 54
First submission:  2014-09-22 14:27:34 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4be29ac27d7eca53ae5f727eedc80cd695d0967bd8535b96b6599121ab1bbbb2/analysis/

 

INFECTION TRAFFIC

MALWARE DOWNLOADED FROM LINK IN EMAIL:

INFECTED VM: UPATRE CALL FOR MORE MALWARE:

INFECTED VM: ATTEMPTED TCP TRAFFIC:

INFECTED VM: STUN TRAFFIC TO VOIP (AND POSSIBLY OTHER) SERVERS:

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:

 

SCREENSHOTS OF THE TRAFFIC

Phishing malware (upatre) calling for more malware:

 

Some of the STUN traffic from the infected VM (http://en.wikipedia.org/wiki/STUN):

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.