Sanesecurity ClamAV blog: zero hour malware, phishing and scams: HSBC Payment Advice malware

Thursday, 5 February 2015

HSBC Payment Advice malware

HSBC Payment Advice malware on the loose....

Headers: (example)

From: "HSBC" {no-replay@hsbci.co.uk}
Subject: HSBC Payment Advice

Message body (example)

Sir/Madam

Upon your request, attached please find payment e-Advice for your
reference.

Yours faithfully

HSBC

Attached to the email is a Zip file (Note: Random filename):

HSBC-78278.zip

On the Windows machine, Inside the zip, is Windows executable

CashPro.exe

Md5 Hashes:

f0153b97415d4d4029209ab571f29bf8 [1]

Malware Information:

VirusTotal Report [1] (hits 2/51 Virus Scanners)

Malwr Report [1]

Summary:

Steals private information from local Internet browsers

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)

Creates an Alternate Data Stream (ADS)

Installs itself for autorun at Windows startup

Hybrid Analysis Report [1]

Cheers,

Steve
Sanesecurity.com

2 comments:

Anonymous said...: Got it as well.; 5 February 2015 at 14:34
lopta said...: Me too:

MD5 (CashPro.exe) = f0153b97415d4d4029209ab571f29bf8; 6 February 2015 at 18:28

Sanesecurity ClamAV blog: zero hour malware, phishing and scams

Amazon3

Pages

Amazon

Thursday, 5 February 2015

HSBC Payment Advice malware

2 comments: