Sanesecurity ClamAV blog: zero hour malware, phishing and scams: ACH

Tuesday, 20 January 2015

ACH - Bank account information form malware

ACH - Bank account information form malware in the form of a html email, with an attached Zip.

Headers:

From: "Jamal Horne" {}
Subject: ACH - Bank account information form

Message body:

Please fill out and return the attached ACH form along with a copy of a voided check.

Jamal Horne,

JPMorgan Chase
GRE Project Accounting
Vendor Management & Bid/Supervisor
Fax-602-221-2251
Jamal.Horne@jpmchase.com
GRE Project Accounting

The attached Zip file is called:

Check_Copy_Void.zip

On the Windows machine, Inside the zip, is Windows executable

Check_Copy_Void.scr

Md5 Hashes:

3164ef6340962591d87a108614013e12

Malware Information:

VirusTotal Report [1] (hits 4/56 Virus Scanners)

hybrid-analysis Report [1] [Very Detailed]

Malwr Report [1]

Summary:

Performs some HTTP requests
The binary likely contains encrypted or compressed data.
Steals private information from local Internet browsers
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
Creates an Alternate Data Stream (ADS)
Installs itself for autorun at Windows startup

Cheers,
Steve
Sanesecurity.com

Sanesecurity ClamAV blog: zero hour malware, phishing and scams

Amazon3

Pages

Amazon

Tuesday, 20 January 2015

ACH - Bank account information form malware

No comments: