2014-10-02 - PHISHING EMAIL - SUBJECT: JOB IN FINANCIAL SERVICE

ASSOCIATED FILES:

 

NOTES:

 

PHISHING EMAIL DETAILS

SCREENSHOT:

 

MESSAGE TEXT:


From: Thane Bradford <builderwork@groupcarreerrr.com>
Reply-To: Thane Bradford <careerwork@careerbuilderr.net>
Date: Thursday, October 2, 2014 at 20:58 UTC
To:
Subject: Job in financial service

Good morning!!!
The companys careerbuilder has a good offer for you. One of the most successful financial service companies is hiring workers and you can be a part of successful team. If you are smart and motivated - send your resume to us.
Our customer offers a practical training period.
The average every year salary varies from 300K to 400K$.
You can get more information from the attachment below this letter.
We appreciate your time. Thank you for reading this info.

Attachment: INFO.zip (244.7 KB)

 

PRELIMINARY MALWARE ANALYSIS

EMAIL ATTACHMENT:

File name:  INFO.zip
File size:  181.1 KB ( 185477 bytes )
MD5 hash:  eccf92708f49ac1ec097fae8feb71cde
Detection ratio:  5 / 55
First submission:  2014-10-02 21:36:11 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a4660af9d6fdae34ccb7b6b788f6f8b510247d4508ea44d5e1c949de045c8486/analysis/

 

EXTRACTED MALWARE:

File name:  INFO.scr
File size:  312.5 KB ( 320000 bytes )
MD5 hash:  58e3dd640785871be87dbeeb982d4b7a
Detection ratio:  3 / 55
First submission:  2014-10-02 22:10:48 UTC
VirusTotal link:  https://www.virustotal.com/en/file/b4c6fa2b61a97269a6e7b244183558d636681127329f5be3ea0c18d7518daa1e/analysis/
Malwr link:  https://malwr.com/analysis/ZWY4MTA4YmVlZmNhNDg3Y2EwNDU1Zjk2NGRiN2NiY2Q/

 

SCREENSHOTS

When running the malware in a Windows 64-bit VM, I got the following error:

 

I renamed the file to an EXE extension and ran it as an administrator.  The malware copied itself to C:\ProgramData\explorer.exe and created the following registry entry in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.