2014-08-08 - ZBOT INFECTION FROM EMAIL ATTACHMENT

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2014-08-08-traffic-from-sandbox-analysis-of-Zbot-sample.pcap.zip
• 2014-08-08-Zbot-malware.zip

 

THE EMAIL

SCREENSHOT:

 

MESSAGE TEXT:

From: Japan Manufatural Company <manufacturalsales@gmail[.]com>
Reply-To: <manufacturalsales@gmail[.]com>
Date: Friday, August 8, 2014 at 1:32 UTC
Subject: RE: PURCHASE ORDER

Sir.Kindly check my purchase order on the attach file and get back to us immedialey for the payment to be made.

Best Regard,

JAPAN NEPOL STEEL COMPANY

Fujitsu Kosugi Building 1812-10 Shimonumabe,
Nakahara-ku. Kawasaki-shi,
Kanagawa Japan.

Tel.: +81 - 813-678-9902
Email:manufacturalsales@gmail[.]com

Attachment: PURCHASE ORDER.rar (272 KB)

 

 

PRELIMINARY MALWARE ANALYSIS

EMAIL ATTACHMENT:

File name:  PURCHASE ORDER.rar
File size:  205,490 bytes
MD5 hash:  2d62935b885a4cbef5db682dbf2614c3
Detection ratio:  24 / 54
First submission:  2014-08-08 04:30:57 UTC
VirusTotal link:  https://www.virustotal.com/en/file/b1e9aaac9a35faea36d82dc2d4d060e424b652751251523166ede7d1537e351d/analysis/

 

EXTRACTED MALWARE:

File name:  rach.exe
File size:  222,502 bytes
MD5 hash:  ba3888f22e448fd79b220106155d2b66
Detection ratio:  27 / 53
First submission:  2014-08-08 07:09:49 UTC
VirusTotal link:  https://www.virustotal.com/en/file/0ef66e8730340315b1f821e096c4ef6aeda02c89cef3d5ddc09c3804287684bb/analysis/

 

INFECTION TRAFFIC FROM SANDBOX ANALYSIS OF THE MALWARE

• 19:31:58 UTC - 23.63.227[.]177:80 - crl.microsoft[.]com - GET /pki/crl/products/CodeSignPCA.crl
• 19:32:00 UTC - 74.86.13[.]122:80 - rachelserodioadvogados[.]com[.]br - GET /images/rach.bin
• 19:32:14 UTC - 74.86.13[.]122:80 - rachelserodioadvogados[.]com[.]br - POST /images/secure.php
• 19:32:14 UTC - 74.125.225[.]84:80 - www.google[.]com - GET /webhp
• 19:32:15 UTC - 23.4.53[.]163:80 - crl.geotrust[.]com - GET /crls/secureca.crl
• 19:32:15 UTC - 199.7.59[.]72:80 - gtglobal-ocsp.geotrust[.]com - GET /MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSxtDkXkBa3l3
  lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACAwI6aQ%3D%3D
• 19:32:15 UTC - 173.194.115[.]73:80 - clients1.google[.]com - GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodj
  XCbSRkjeqm1Gih%2BZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEYuQla7EZTc
• 19:32:15 UTC - 74.86.13[.]122:80 - rachelserodioadvogados[.]com[.]br - POST /images/secure.php
• 19:32:16 UTC - 74.86.13[.]122:80 - rachelserodioadvogados[.]com[.]br - POST /images/secure.php
• 19:33:18 UTC - 93.184.215[.]200:80 - mscrl.microsoft[.]com - GET /pki/mscorp/crl/mswww(6).crl

 

ALERTS FROM SANDBOX ANALYSIS TRAFFIC

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

• 74.86.13[.]122:80 - ET TROJAN - Possible Zeus/Perkesh (.bin) configuration download (sid:2010348)
• 74.86.13[.]122:80 - ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin (sid:2018052)
• 74.86.13[.]122:80 - ET TROJAN Possible Zbot Activity Common Download Struct (sid:2017836)
• 74.86.13[.]122:80 - ET TROJAN Zeus POST Request to CnC - URL agnostic (sid:2013976)
• 74.86.13[.]122:80 - ET TROJAN Generic - POST To .php w/Extended ASCII Characters (sid:2016858)
• 74.125.225[.]84:80 - ET TROJAN Zeus Bot GET to Google checking Internet connectivity (sid:2013076)

 

Click here to return to the main page.