Monday, 9 February 2015

You have received a new debit payments admin details Lloyds TSB malware

You have received a new debit paymentsadmin details Lloyds TSB  malware is now arriving in the form of a html email,
with an attached Zip file:


Headers:
From: "Payments Admin" {paymentsadmin@lloydstsb.co.uk}
Subject: You have received a new debit
Message body:
This is an automatically generated email by the Lloyds TSB PLC
LloydsLink online payments Service to inform you that you have receive a
NEW Payment.

The details of the payment are attached.

This e-mail (including any attachments) is private and confidential and
may contain privileged material. If you have received this e-mail in
error, please notify the sender and delete it (including any
attachments) immediately. You must not copy, distribute, disclose or use
any of the information in it or any attachments.

Attached to the email is a Zip file, with a random filename:
details#59400111.zip
Inside the Zip file, is a dangerous exe file (Windows Systems):
details.exe

Md5 Hashes:
9d1d9c866ee1c3d4124980dc772a64eb  [1]
Malware Information:

VirusTotal Report [1] (hits 3/57 Virus Scanners)

Malwr Report [1]


Summary:
  • Steals private information from local Internet browsers
  • Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
  • Creates an Alternate Data Stream (ADS)
  • Installs itself for autorun at Windows startup

    Hybrid Analysis Report [1]

    Cheers,

    Steve
    Sanesecurity.com

    No comments: