Thursday, 15 January 2015

ADP Invoice for week ending 01/11/2015 {Darrel.Doss@adp.com} malware

ADP Invoice for week ending 01/11/2015 {Darrel.Doss@adp.com} malware in the form of a html email, with an attached Zip.

Headers:
From: "Darrel.Doss@adp.com" {Darrel.Doss@adp.com}
Date: Thu, 24 Jul 2014 09:35:35 GMT
Subject: ADP Invoice for week ending 01/11/2015

Message body:

Your most recent ADP invoice is attached for your review.

If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.

Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.

Thank you for choosing ADP for your business solutions.

Important: Please do not respond to this message. It comes from an unattended mailbox.
The auto-downloaded Zip file is: (Note: the downloaded filename is random)
invoice_418270412.pdf.zip

On the Windows machine, Inside the zip, is Windows executable (Note the dual extension)
invoice_418270412.pdf.scr

Md5 Hashes:
f98d0db9c365cf08235fc30c41276ef8
Malware Information:
VirusTotal Report [1] (hits 10/57 Virus Scanners)

hybrid-analysis Report [1] [Very Detailed]

Malwr Report [1]

Summary:

Performs some HTTP requests
Steals private information from local Internet browsers
Creates an Alternate Data Stream (ADS)
Installs itself for autorun at Windows startup
Sanesecurity signatures are blocking this as: Sanesecurity.Malware.24689.ZipHeur

Cheers,

Steve
Sanesecurity.com

No comments: