2014-12-03 - PHISHING EMAIL - SUBJECT: AUFFÄLLIGE KONTOBEWEGUNG

ASSOCIATED FILES:

 

NOTES:

 

EXAMPLE OF THE EMAILS

SCREENSHOT:

 

MESSAGE TEXT:

From: Sparkassen-Finanzportal GmbH <bellio@treviso.net>
Sent: 03 December 2014 16:58
To: [redacted]
Subject: Auffällige Kontobewegung

Guten Tag [redacted],


Auf Ihrem Konto #410816 fand eine Abbuchung von 2916 EUR statt. Einzelheiten zur Einsichtnahme finden Sie hier: Ihr Konto, Einzug eines Betrags .

Freundliche Grüße von Sparkasse.

 

GOOGLE TRANSLATION:

Subject: Showy account movement

Good day [redacted],

On your account # 410816 debiting took place from 2916 EUR. Details of the inspection can be found here: My Account, collection of a sum.

Friendly greetings from savings bank.

 

LINK FROM THE EMAIL:

80.86.91.225 - lightingapps.de - GET /administrator/bVDXQu9qS/

 

PRELIMINARY MALWARE ANALYSIS

DOWNLOADED ZIP FILE:

File name:  Informationen_Kontobewegung_dezember_2014.zip
File size:  123.5 KB ( 126489 bytes )
MD5 hash:  ab1740928bec43fde051c7c6c0cfccec
Detection ratio:  6 / 55
First submission:  2014-12-03 17:51:11 UTC
VirusTotal link:  https://www.virustotal.com/en/file/0e4dfe31a2b1e165b5e7fc7053d3e7a0ba1ae160d2fbd3435526d9dd76376d61/analysis/

 

EXTRACTED MALWARE:

File name:  Informationen_Kontobewegung_dezember_2014_de_20_8139_237_90109238_000129_000028_05.exe
File size:  156.1 KB ( 159812 bytes )
MD5 hash:  8e9111802bf368404c2a18222b3eb986
Detection ratio:  7 / 55
First submission:  2014-12-03 17:27:54 UTC
VirusTotal link:  https://www.virustotal.com/en/file/2c4ca41292c07252bb043dae7697a91c140ba9be82fac5cd62c9f9c802959e0d/analysis/
Malwr link:  https://malwr.com/analysis/Nzc2NmNlYjdjZTU1NDU4ZWFkZjA2ZDgxYzBiNjNhZTE/


Shown above: registry entry indicating where the malware copies itself

 

INFECTION TRAFFIC

Downloading the malware:

 

Executing Informationen_Kontobewegung_dezember_2014_de_20_8139_237_90109238_000129_000028_05.exe in a VM:

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion using Suricata 2.0.4:

 

Sourcefire VRT ruleset from Sguil on Security Onion using Snort 2.9.7.0:

 

SCREENSHOTS

Downloading the malware from the email link:

 

Example of the post-infection traffic:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.