Monday, 9 March 2015

Serv-Ware Credit Application.pdf

Serv-Ware Credit Application.pdf attachment being spammed containing a zip file

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Message Header:

From: {}
Subject: Emailing: Serv-Ware Credit Application.pdf.
Message Body:

Clint Winstead
Serv-Ware Products
phone: 800.768.5953
fax    : 800.976.1299

Inside the Zip is a Windows Executable:

Sha256 Hashes:
d48507819dd4a42b1f751cc0f60884513389f1be25b34f642e0276cdabbbece9  [1]

Malware Macro document information:
VirusTotal Report [1] (hits 8/57 Virus Scanners)


Modifies/Creates these files locally:

 C:\DOCUME~1\~1\LOCALS~1\Temp\utilview.exe (successful)
c:\autoexec.bat (successful)
viagra.pdf (successful)

Malwr Report [1]

  • File has been identified by at least one AntiVirus on VirusTotal as malicious
  • Performs some HTTP requests
  • Looks up the external IP address
  • Steals private information from local Internet browsers
  • Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
  • Creates an Alternate Data Stream (ADS)
  • Installs itself for autorun at Windows startup

Hybrid Analysis Report [1] [Detailed Report]

No comments: