Sanesecurity ClamAV blog: zero hour malware, phishing and scams: eFax message from POTS modem 2

Wednesday, 25 February 2015

eFax message from POTS modem 2

eFax message from POTS modem 2...

Headers:

From: {message@inbound.efax.com}
Subject: eFax message from "POTS modem 2 " - 1 page(s), Caller-ID: 1-630-226-2563

Message body:

Attached is a Zip file:

fax_2342.zip

Inside the Zip is a Windows Executable:

fax_2342.exe

Md5 Hashes:

436da4d7aee7f8f4a8806b14b376cecf [1]

Malware Information:

VirusTotal Report [1] (hits 12/57 Virus Scanners)

Malwr Report [1]

Hybrid Analysis Report [1]

Description:

The malware in the zip is a trojan downloader largely referred to as Upatre.

This downloader will then probably download it's parter in crime Dyre.

Dyre, is Zeus-like banking Trojan, which is trying to capture as much information about your online banking details as possible.

It's also being used to then send out the same malware to everyone else by using your own copy of outlook and your bandwidth.

Cheers,

Steve
Sanesecurity.com

16 comments:

Anonymous said...: just received an email with this "efax". didn't open the attachment. what type of malware is it?; 25 February 2015 at 14:52
Anonymous said...: received the same potentially toxic attachment; 25 February 2015 at 14:57
Steve Basford said...: It's Upatre malware, I've updated the blog entry a little with a description.; 25 February 2015 at 15:18
Unknown said...: I just got one too. We do not subscribe to eFax, do not have a signon, and my AV sent it straight into the "Infected" file so I did not open it.; 25 February 2015 at 15:19
Unknown said...: I just received this too, we do not subscribe to eFax, AND my AV sent it straight into the "Infected" file.; 25 February 2015 at 15:21
Anonymous said...: awesome. thank you. :); 25 February 2015 at 15:42
Andrew Cole said...: Just received the identical trojan e-mail.; 25 February 2015 at 16:02
Andi said...: Received this morning in business email. Searched the phone # listed and your site popped up. What a wonderful service you provide!; 25 February 2015 at 16:04
Anonymous said...: Our business received the exact same email and I also searched the number and your site popped up. Thank you for the information!; 25 February 2015 at 16:35
Art said...: I just got this email as well. Seemed a little phishy, so I googled the number and found this site. Thanks for sharing the info, what a great service you guys are providing.; 25 February 2015 at 17:04
Anonymous said...: Thanks very much for posting about this. We received this email too and I immediately deleted it.; 25 February 2015 at 20:39
Anonymous said...: Received exactly the same email, this morning.; 3 March 2015 at 00:35
Anonymous said...: received to business email just now. Thank you for posting the warning; 11 March 2015 at 16:22
Unknown said...: Also just received this bogus eFax email. Did a reverse phone number look-up on the "630-226-2563" and got this...

Ameritech Landline in Lemont, IL; 11 March 2015 at 17:56
Anonymous said...: I just received the same thing today. Reported it as Junk.; 11 March 2015 at 19:33
Anonymous said...: Yup. Many thanks for posting this. from,
Richmond Hill, Ontario; 12 March 2015 at 13:41

Sanesecurity ClamAV blog: zero hour malware, phishing and scams

Amazon3

Pages

Amazon

Wednesday, 25 February 2015

eFax message from POTS modem 2

16 comments: