2014-11-05 - PHISHING EMAIL - SUBJECT: INVOICES AND PAYMENT COPY ATTACHED
ASSOCIATED FILES:
- ZIP of the malware: 2014-11-05-phishing-malware.zip
- ZIP of PCAP from malwr.com analysis (1 of 2): 2014-11-05-malwr.com-analysis-of-image001N.exe.pcap.zip
- ZIP of PCAP from malwr.com analysis (2 of 2): 2014-11-05-malwr.com-analysis-of-image002D.exe.pcap.zip
THE PHISHING EMAIL
SCREENSHOT:
MESSAGE TEXT:
From: KLUBER LUBRICATION PVT <felixbrown@dr.com>
Reply-To: <kb2237@gmail.com>
Date: Wednesday, November 5, 2014 at 7:36 UTC
Subject: invoices and payment copy attached
Kind Attn Sir,
Please find the below mentioned / attached invoice details for your reference and kindly confirm the below status:
1. Have you received the invoice & confirm that all the material has been reached to safely.
2. If received have all the work has been completed or not.
3. If completed, have you booked for payment.
KLUBER LUBRICATION CHINA PVT LTD
PLOT NO 347-A, HEBBAL INDUSTRIAL AREA P.O METAGALLI MYSORE 570 016
SUB TOTAL
$8,195.15
Note : Please reply if there is any issue regarding material or Invoice
within 3 working days or by telephone so that we can clarify if any problem
is there.
Kindly treat this matter on priority & reply.
With Kind Regards...
Mahalakshmi Sharma
Customer Relationship Management
Attachment: image001N.rar (391.2 KB)
Attachment: image002D.rar (617.2 KB)
PRELIMINARY MALWARE ANALYSIS
EMAIL ATTACHMENT (1 OF 2):
File name: image001N.rar
File size: 235.5 KB ( 241152 bytes )
MD5 hash: bb8b6562d6723b04117762e375f3fd2b
Detection ratio: 12 / 54
First submission: 2014-11-06 00:03:34 UTC
VirusTotal link: https://www.virustotal.com/en/file/b6fcd12cc7b7fa34ea05cdec9c1a900cee67b6b7f388fb79af3794d2b0f8c1e3/analysis/
EMAIL ATTACHMENT (2 OF 2):
File name: image002D.rar
File size: 455.3 KB ( 466219 bytes )
MD5 hash: 8b91108cac0f3fd8e5074a4a5d956892
Detection ratio: 11 / 54
First submission: 2014-11-06 01:42:51 UTC
VirusTotal link: https://www.virustotal.com/en/file/9d7d4da3ed6bd33ea47d8bddd6efdb4122f2ea4db87263123af976c9c8392cdd/analysis/
EXTRACTED MALWARE (1 OF 2):
File name: image001N.exe
File size: 311.5 KB ( 318976 bytes )
MD5 hash: 67a45ddff62095ac322e9d13440b7bea
Detection ratio: 14 / 53
First submission: 2014-11-06 00:04:08 UTC
VirusTotal link: https://www.virustotal.com/en/file/01990ff9ab5b033e86ac3081446d7530c41a512dc601deff03cf5bf49297423a/analysis/
Malwr.com link: https://malwr.com/analysis/YmJiNGNiODVjODU0NDcxMWJiMTc0YTlhZDI3OTdjNTg/
EXTRACTED MALWARE (2 OF 2):
File name: image002D.exe
File size: 528.0 KB ( 540672 bytes )
MD5 hash: 0eeb7af2a25b77dc51ff024624d18f74
Detection ratio: 13 / 53
First submission: 2014-11-06 00:03:43 UTC
VirusTotal link: https://www.virustotal.com/en/file/65db309e1552c021334bd0b3ac0acb31a17932b84501c854a38e50b6b4ca954e/analysis/
Malwr.com link: https://malwr.com/analysis/NTg3YjU5OWRmNzllNDdkYTljNjljY2Q3ZDAzODJjYjk/
INFECTION TRAFFIC
TRAFFIC FROM MALWR.COM ANALYSIS OF IMAGE001N.EXE:
- 2014-10-06 00:07:16 UTC - DNS query for felixbrown.no-ip.org - resolved to 23.105.131.143
- 2014-10-06 00:07:16 UTC - Encrypted TCP traffic to 23.105.131.143 port 9033
TRAFFIC FROM MALWR.COM ANALYSIS OF IMAGE002D.EXE:
- 2014-10-06 00:07:35 UTC - DNS query for blessyjohn01.ddns.net - resolved to 23.105.131.143
- 2014-10-06 00:07:36 UTC - Attempted TCP connection to 23.105.131.143 port 1529 (RST by the server)
FINAL NOTES
Once again, here are the associated files:
- ZIP of the malware: 2014-11-05-phishing-malware.zip
- ZIP of PCAP from malwr.com analysis (1 of 2): 2014-11-05-malwr.com-analysis-of-image001N.exe.pcap.zip
- ZIP of PCAP from malwr.com analysis (2 of 2): 2014-11-05-malwr.com-analysis-of-image002D.exe.pcap.zip
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.