Headers:
Message body:
From: Vistaprint {VistaPrint-cc@vistaprint.com}
Subject: Vistaprint VAT Invoice (330142496)
There's a Zip file attached to the email:
Invoice Number: 330142496 Invoice Date: 3/30/2015 Delivery Date: 3/30/2015 The Netherlands Payment Date: 3/20/2015 Order Number: nLhs-tNyCT-qMW
6Lx7Uuuyr.zip
Inside the Zip file is a Windows Executable file:
Sha256 Hashes (one example)
Invoice_1.exe
733dbcc33cd08ac2ff6355df4e2886729a30bbfb9d857beb3c190183d833948b [1]
07ce38d3c9f1cee817f39e88d51d9699b0279b40e54560e710ee85a76d4b02e6
1452eee9d719a400679fb0156ee619c6c615ed5d747ce0b8bbad7aeabfa0f718
14bb99c73842185070d05b72c4377d2539c58caf84031897b513505a00f99938
274e2d2feaa40c3365742669172fd3838f262f673552a9ee86b856feac218b08
38513535de02f4ca268c0222f792546b08ab569697043d3b6f0f00462e71c667
39738ebc512b12ab7395881e2844db5b40886d254bbbca207504444b31ff6d94
4dc8eb1fc7cf9f0a2c9c40da357817cfaa6fda646df711934a23e3b8ca765afc
6434da7c50e17d1d13dbc333da2c1b94ef7073fef5c5126b8b0adb5036b67ed5
6d8f83af8cb834a6fa81f4e62f05ba936be9bccc6f3cba3b5c054aecd4348b94
9b474d766f52bf8d7165926aa80c69ea4a57d1274288e57d6abca8a5fbe101e7
a676e588ae8c289b23674d4645609f0a2394aa3f33c7d1d8d4b2762eb26dd0ad
c1afd7428c8becfa00c0ec30881f9368dc2534bc93c2cbd4acb8fe2e21927044
c9bf209bb0481c6df23cff155aee9a948a05f2d16164443d4def5fc18d1494a4
cb7bc116cf96728697f03b280434900f06801607fc9667acf8c338b67ee57bf0
d661ece27c9ea42034d453c98163ebca7f8a632419df95d96989943b6006dbeb
e130768f67f0314033254bd38ca8f7be56da9280bd5ce56f48094a32e471d51f
e75dbe549c3f4cb2de92b5615e3f6311ab547c1ad29d8dd49d4af8a97f17fa49
Malware Anti-Virus Reports (one example)
VirusTotal Report [1] (hits 1/57 Virus Scanners)
Malwr Report [1]
Hybrid Analysis Report [1]
Cheers,
Steve
Sanesecurity.com
6 comments:
It looks like they are creating each individual email attachment on the fly and each one not has a zip random name but the actual malware Upatre downloader contained in the zip although each has the same file name are all different with individual file hashes. I have checked 5 or 6 so far and all have different SHA256 # numbers.
http://myonlinesecurity.co.uk/vistaprint-vat-invoice-fake-pdf-malware/
just got this email today! thanks!
I just got one, but my AVG Internet Secutiry 2015 antivirus program caught it and deleted message.
Vistaprint VAT Invoice (570832909)
Invoice Number: 570832909
Invoice Date: 3/30/2015
Delivery Date: 3/30/2015
The Netherlands Payment Date: 3/20/2015
Order Number: k3u9-yropI-78A
thanks guys.we have to keep this up.
Got this one today, too - found it in my Junk folder
Just got this at our campany, the service desk released it from Mail Marshal...and now im scaning the network. Here is the
Received: from vistaprint.com (242.169.233.220.static.exetel.com.au[220.233.169.242])
From: Vistaprint
MIME-Version: 1.0
Subject: Vistaprint VAT Invoice (566155852)
Invoice Number: 566155852
Invoice Date: 3/30/2015
Delivery Date: 3/30/2015
The Netherlands Payment Date: 3/20/2015
Order Number: CVh{-5eAGQ-dPB
When excecuted it created 2 application with random 13 text name and size was 444KB under C:\Users\(username)\Appdata\Local\
Our System Centre Endpoint has yet to pick up anything but if it causes any issue ill let ya know.
Post a Comment