Thursday, 26 February 2015

ringcentral New Voice Message from No Caller ID

ringcentral New Voice Message from No Caller ID now arriving with not very good detection rates...

Headers:
From: "notify-uk@ringcentral.com" {notify-uk@ringcentral.com}
Subject: New Voice Message from No Caller ID on 25/02/2015 at 16:25
Message body:


You Have a New Voice Message
From: No Caller ID
Received: 18 December 2014 at 16:25
Length: 00:03
To: 020 3750 0638 * 302 (TAG The Automotive Group Ltd)
To listen to this message, open the attachment or use RingCentral Mobile App (download) to have instant access to all your messages on the go.
Thank you for using RingCentral.


Attached is a Zip file:
fax_2342.zip
Inside the Zip is a Windows Executable:
NoCallerID-1218-162550-153?.wav.exe

Sha256 Hash:
843c890b197dc780ea7b3c85688b6b11f8594083d2de055dce21fd1427ec0379   [1]

Malware Information:

VirusTotal Report [1] (hits 0/57 Virus Scanners)

Malwr Report [1]

Hybrid Analysis Report [1]
 Summary:
* Starts servers listening on 0.0.0.0:80
* Performs some HTTP requests
* Steals private information from local Internet browsers
* Collects information to fingerprint the system (MachineGuid, DigitalProductId,   SystemBiosDate)
* Installs itself for autorun at Windows startup

Downloads from:

http://webmail.npkstt.ru/java/ bin .exe
http://decapitated.cba.pl/java/ bin .exe
http://elsi.homepage.t-online.de/java/ bin .exe

Sha256 Hash:

c56a46575f00e527844ea393c50aa58500dda94088c34489559b610200ba756b [2]

VirusTotal Report [2]
Malwr Report [2]



    Cheers,

    Steve
    Sanesecurity.com

    4 comments:

    Derek Knight said...

    Hi Steve, can you try & use SHA1 or SHA256 # instead of MD5 # in your reports . That makes it easier to search VT and other sites who are gradually stopping MD5#
    Almost all the automatic submission systems are using a SHA1 or 256 # as file name nowadays
    Thanks
    Derek
    http://myonlinesecurity.co.uk

    Steve Basford said...

    Good point... updated :)

    James - IT Tech said...

    Seen a few of these land on our server this morning - thanks for clarifying Steve, very helpful info.

    James - IT Tech said...

    Thanks Steve - useful info, seen a few of these land on our mail server today.