Tuesday, 20 January 2015

ACH - Bank account information form malware

ACH - Bank account information form malware in the form of a html email, with an attached Zip.

Headers:
From: "Jamal Horne" {}
Subject: ACH - Bank account information form

Message body:
Please fill out and return the attached ACH form along with a copy of a voided check.

Jamal Horne,

JPMorgan Chase
GRE Project Accounting
Vendor Management & Bid/Supervisor
Fax-602-221-2251
Jamal.Horne@jpmchase.com
GRE Project Accounting

The attached Zip file is called:
Check_Copy_Void.zip

On the Windows machine, Inside the zip, is Windows executable 
Check_Copy_Void.scr

Md5 Hashes:
3164ef6340962591d87a108614013e12
Malware Information:
VirusTotal Report [1] (hits 4/56 Virus Scanners)

hybrid-analysis Report [1] [Very Detailed]

Malwr Report [1]

Summary:

Performs some HTTP requests
The binary likely contains encrypted or compressed data.
Steals private information from local Internet browsers
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
Creates an Alternate Data Stream (ADS)
Installs itself for autorun at Windows startup
Cheers,
Steve
Sanesecurity.com

No comments: