Thursday, 5 February 2015

HSBC Payment Advice malware

HSBC Payment Advice malware on the loose....

Headers: (example)
From: "HSBC" {no-replay@hsbci.co.uk}
Subject: HSBC Payment Advice
Message body (example)
Sir/Madam

Upon your request, attached please find payment e-Advice for your
reference.

Yours faithfully

HSBC
Attached to the email is a Zip file (Note: Random filename):
HSBC-78278.zip

On the Windows machine, Inside the zip, is Windows executable
CashPro.exe

Md5 Hashes:
f0153b97415d4d4029209ab571f29bf8 [1]
Malware Information:

VirusTotal Report [1] (hits 2/51 Virus Scanners)

Malwr Report [1]


Summary:
  • Steals private information from local Internet browsers
  • Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
  • Creates an Alternate Data Stream (ADS)
  • Installs itself for autorun at Windows startup

Hybrid Analysis Report [1]

Cheers,

Steve
Sanesecurity.com

2 comments:

Anonymous said...

Got it as well.

lopta said...

Me too:

MD5 (CashPro.exe) = f0153b97415d4d4029209ab571f29bf8