ringcentral New Voice Message from No Caller ID now arriving with not very good detection rates...
Headers:
From: "notify-uk@ringcentral.com" {notify-uk@ringcentral.com}
Subject: New Voice Message from No Caller ID on 25/02/2015 at 16:25 | |
Message body:
| You Have a New Voice Message
| From: |
No Caller ID |
| Received: |
18
December 2014 at 16:25 |
| Length: |
00:03 |
| To: |
020
3750 0638 * 302 (TAG The Automotive Group
Ltd) |
|
|
|
| To
listen to this message, open the attachment or use RingCentral
Mobile App (download) to have instant access to all your messages on the go.
|
Thank
you for using RingCentral.
 |
|
Attached is a Zip file:
Inside the Zip is a
Windows Executable:
| NoCallerID-1218-162550-153?.wav.exe | |
Sha256 Hash:
843c890b197dc780ea7b3c85688b6b11f8594083d2de055dce21fd1427ec0379 [1]
|
Malware Information:
VirusTotal Report [1] (hits 0/57 Virus Scanners)
Malwr Report [1]
Hybrid Analysis Report [1] |
Summary:
* Starts servers listening on 0.0.0.0:80
* Performs some HTTP requests
* Steals private information from local Internet browsers
* Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
* Installs itself for autorun at Windows startup
Downloads from: http://webmail.npkstt.ru/java/ bin .exe http://decapitated.cba.pl/java/ bin .exe http://elsi.homepage.t-online.de/java/ bin .exe Sha256 Hash: c56a46575f00e527844ea393c50aa58500dda94088c34489559b610200ba756b [2] VirusTotal Report [ 2] Malwr Report [ 2] |
Cheers,
Steve
Sanesecurity.com
4 comments:
Hi Steve, can you try & use SHA1 or SHA256 # instead of MD5 # in your reports . That makes it easier to search VT and other sites who are gradually stopping MD5#
Almost all the automatic submission systems are using a SHA1 or 256 # as file name nowadays
Thanks
Derek
http://myonlinesecurity.co.uk
Good point... updated :)
Seen a few of these land on our server this morning - thanks for clarifying Steve, very helpful info.
Thanks Steve - useful info, seen a few of these land on our mail server today.
Post a Comment