Wednesday, 11 March 2015

voicemail Message (07813297716) From:07813297716

Voicemail Message (07813297716) From:07813297716

Headers:
From: Voicemail {admin@
Subject: Voicemail Message (07813297716) From:07813297716
Message body:
IP Office Voicemail redirected message

Attached is a Zip file:
MSG00311.WAV.ZIP
Inside the Zip is a Windows Executable:
MSG00311.WAV.exe

Sha256 Hashes:
 a320ad9390d5c65b05e11683b150207f1c11c164baebef005e04dba476f968b7  [1]

Malware Information:

VirusTotal Report [1] (hits 3/57 Virus Scanners)

Malwr Report [1]

Hybrid Analysis Report [1]
Description:
The malware in the zip is a trojan downloader largely referred to as Upatre. 

This downloader will then probably download it's parter in crime
Dyre.

Dyre, is Zeus-like banking Trojan, which is trying to capture as much information about your online banking details as possible.

It's also being used to then send out the same malware to everyone else by using your own copy of outlook and your bandwidth.


Cheers,

Steve
Sanesecurity.com

7 comments:

Anonymous said...

Thank you. I have just received this voice mail and nearly opened it. You have saved me so much heartache, especially as I am already having a bad day! Thanks and regards, Kimble.

alexx said...

I just got one of these at 10:17 this morning, unzipped to find a windows .exe which I didn't execute.

Address as from

How to stop it?!

Pat said...

We have seen this in the form of undeliverables, does this indicate the user has an infection on their machine?

SC said...

Thank you I have received it too!!

Pen 39 said...

Just received one of these, I did click on the zip file, but it didn't open .... should I still be concerned?

Anonymous said...

We've received about 300 of these messages into a combination of possible and explicit e-mail addresses within our organisation over the last couple of hours. Our Watchguard XTM505 is identifying the attachment as unsafe and deleting the ZIP file.

Anonymous said...

Had a user with this today. She didn't open the attachment but I noticed that opening the email launched the installer with a file called msczvsx.exe . I killed it before it completed and got rid of the file, it put it in programdata, so I think we are ok. All scans a negative but that does mean much.