2015-02-02 - MALSPAM RUN PUSHES CHANITOR - SUBJECT: LOGMEIN PROMO CODE - GET 50% OFF YOUR NEXT PURCHASE

ASSOCIATED FILES:

 

NOTES:

 

EXAMPLE OF THE EMAILS

SCREENSHOT:

 

MESSAGE TEXT:

From: "LogMeIn.com" <no-reply@logmein.com>
Date: Monday, February 2, 2015 at 8:20 AM CST
To:
Subject: LogMeIn Promo Code - Get 50% off your next purchase

Dear client,

In early January 2015, we have launched new versions of LogMeIn Central designed to deliver improved security to our customers.
For security reasons, every account must be updated to one of the new LogMeIn Central interfaces ( Central Basic , Central Plus , Central Premier ).

Coupon codes have been awarded to our clients, in order to encourage early subscription to the new interface.

Your account has been selected for a 50% discount on your next LogMein purchase.
The coupon code ( valid for 3 days ) and instructions on how to use it have been included in the attached document.

For more information regarding the new LogMeIn Central , visit our blog :
http://blog.logmein.com/it-management/year-central

Thank you for choosing LogMeIn

Attachmentlogmein_coupon_code.doc (49.7 KB)

 

TRAFFIC FROM INFECTED VM

ASSOCIATED DOMAINS:

 

TRAFFIC SEEN:

 

SNORT EVENTS FROM INFECTED VM

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Talos (Sourcefire VRT) ruleset from Snort 2.9.7.0 on Debian 7:

 

PRELIMINARY MALWARE ANALYSIS

EMAIL ATTACHMENT:

File name:  logmein_coupon_code.doc
File size:  36.8 KB ( 37689 bytes )
MD5 hash:  972751827473ecfdb959c2233a67bdb8
Detection ratio:  2 / 57
First submission:  2015-02-02 15:19:13 UTC
VirusTotal link:  https://www.virustotal.com/en/file/df7f7f8662300996ab1956fafdf04ab6b18e9f8a7d84d6e36c23b58bbcf84f0c/analysis/

 

DROPPED MALWARE (CHANITOR):

File name:  winlogin.exe
File size:  123.5 KB ( 126464 bytes )
MD5 hash:  4f27da033ca92c28576be5270b923128
Detection ratio:  1 / 57
First submission:  2015-02-02 16:03:59 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4e10f46a37f0168c16a5b09d8e7f3934bcddc4411b34916d8497ec1a7e52a9fc/analysis/
Malwr link:  https://malwr.com/analysis/ZDk5MTkwNDZiNzExNDQzOTk1MmZmYTk1YzU2NzFmZWM/

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.