Wednesday, 11 March 2015

Caller-ID: 1-630-226-2563 Fax message from "POTS modem 2

Caller-ID: 1-630-226-2563 Fax message from "POTS modem 2

Headers:
From: {message@inbound.efax.com}
Subject: eFax message from "POTS modem 2 " - 1 page(s), Caller-ID: 1-630-226-2563
Message body:


Attached is a Zip file:
FAX_20150311_1426082680_127.zip
Inside the Zip is a Windows Executable:
FAX_20150311_1426082680_127.exe

Sha256 Hashes:
 8dbbaec774a42e18f369c2bf947a64d03728749b57fad7f46a80ea1ac396af7f  [1]

Malware Information:

VirusTotal Report [1] (hits 2/57 Virus Scanners)

Malwr Report [1]

Hybrid Analysis Report [1]
Description:
The malware in the zip is a trojan downloader largely referred to as Upatre. 

This downloader will then probably download it's parter in crime
Dyre.

Dyre, is Zeus-like banking Trojan, which is trying to capture as much information about your online banking details as possible.

It's also being used to then send out the same malware to everyone else by using your own copy of outlook and your bandwidth.


Cheers,

Steve
Sanesecurity.com

15 comments:

Nick H said...

I just received the same thing, and didn't open it, but I am waiting for a payment from an overseas company I didn't want to throw it out. So I googled the number and found your post. Thank you!

moose said...

Perfect. Thank you and Google Mail filters.

moose said...

Thank you for the details and Google Mail for filtering this crap.

proczach said...

just got it at work, junked it immediately, of course, always interesting to see what it is

Anonymous said...

Just received an hour ago, shortly after using DHL and providing a payment to them. Is this the same for you all as well

Anonymous said...

Just got to too. Glad this is here. Fast find.

Anonymous said...

I also called the phone number, which is disconnected.

Anonymous said...

Yes, Thanks for this post!

Anonymous said...

One here. They are busy today.

Anonymous said...

Got one this morning too

Nancy M said...

Thanks for telling us that it is malware. I was pretty sure but now know for sure.

Anonymous said...

Yikes!! I received this email this morning. I downloaded the zip file and scanned it with Microsoft Essentials, IoBit Malware Fighter and no problem identified. When I clicked on the zip file, it opened and I saw the content for a brief moment then it evaporated. No sign of the email or the file on my computer. Then I found this blog. I just ran a scan with MalwareBytes - nothing found. Any suggestion will be appreciated. I am worried.

Anonymous said...

Yup, they got it to me too. Thanks for having the info. Nice to see others doing the search, just think how many don't.

Anonymous said...

Just got one of these (using a pdf file) this morning. Saw the phone(fax) number and after Googling it I found this page. Thanks for confirming it's a phishing scam.

Anonymous said...

Thank you for posting great detail. Just got it on my husband's business account. Did not open it.

Keep up the great work!