Tuesday, 10 February 2015

Order Details amazon.com order_report.zip malware

Order Details amazon.com order_report.zip malware:

Headers: (example)
From:     "Amazon.com" {delivers@amazon.com}
Subject: Order Details
Message body (example)

Good day,

Thank you for your order. We?ll let you know once your item(s) have dispatched.You can view the status of your order or make changes to it by visiting Your Orders on Amazon.com.

Order Details

Order R:141316 Placed on June 28, 2014
Order details and invoice in attached file.
Need to make changes to your order? Visit our Help page for more information and video guides.
We hope to see you again soon. Amazon.com


Attached to the email is a Zip file:
order_report.zip

On the Windows machine, Inside the zip, is Windows executable:
order_report_238974983274928374892374982.exe

Md5 Hashes:
30f40ef27c5d1ee7482093c9e6f16169  [1]
Malware Information:

VirusTotal Report [1] (hits 5/57 Virus Scanners)

Malwr Report [1]

Summary:
  • Executed a process and injected code into it, probably while unpacking
  • Installs itself for autorun at Windows startup
      Hybrid Analysis Report [1]

      Cheers,

      Steve
      Sanesecurity.com

      1 comment:

      Proxymu5 said...

      I can see that malware tried connect to:
      106.216.219.96:http:
      239.255.255:250
      27.5.199.115:http
      46.19.143.151:http
      5-14-181-219.residential.rdsnet.ro:https
      85-143-166-72.clodo.ru:http
      dhcp-92-cast.dipscfm.uninsubria.it:http
      e-u07kicsg661.it.manchester.ac.uk:http
      ip-195-030.africaonline.com.gh:8000
      ipoter.ru:http
      tengo.un.gato.en.mis.pantalones:http-alt