Friday, 27 February 2015

Leonard Nimoy, Star Trek's Mr Spock, dies at 83


"The needs of the many outweigh the needs of the few, or the one."
— Spock, Star Trek: The Wrath of Khan


Feeling sad.. but what a legacy he has left.

A life is like a garden. Perfect moments can be had, but not preserved, except in memory. LLAP

eFax message from "unknown" - 1 page(s), Caller-ID: 1-219-972-8538

eFax message from "unknown" - 1 page(s), Caller-ID: 1-219-972-8538 using a FAX_20150226_1424989043_176.zip

Headers:
From: message@inbound.efax.com
Subject: eFax message from "unknown" - 1 page(s), Caller-ID: 1-219-972-8538
Message body:


Attached is a Zip file:
FAX_20150226_1424989043_176.zip
Inside the Zip is a Windows Executable:
fax_2342FAX_20150226_1424989043_176.exe

Sha256 Hashes:
de32206ccde1b20a944c5ac4c49a565d9d65ba4786bacc37aa18c2ca7d83b39f  [1]

Malware Information:

VirusTotal Report [1] (hits 6/57 Virus Scanners)

Malwr Report [1]

Hybrid Analysis Report [1]
Description:
The malware in the zip is a trojan downloader largely referred to as Upatre. 

This downloader will then probably download it's parter in crime
Dyre.

Dyre, is Zeus-like banking Trojan, which is trying to capture as much information about your online banking details as possible.

It's also being used to then send out the same malware to everyone else by using your own copy of outlook and your bandwidth.


Cheers,

Steve
Sanesecurity.com

Pearl Summer Offer Sheet pearleurope maikel.theunissen

Pearl Summer Offer Sheet pearleurope maikel.theunissen malware

Headers:
From: {maikel.theunissen@pearleurope.com}
Subject: Pearl Summer Offer Sheet

Message body:

Dear Customer, 

Please find attached a copy of the Summer Offer sheet which we've extended to the end of February! 
To place an order please contact a member of the UK sales team. 

Kind regards, 
The UK Sales Team 

Free Phone: 00800 8424 9328
 Mike Truscott – Sales Manager UK
Tel: 07710 842822
 Jason Allum – Southern Area Sales Manager
Tel: 07766 733322

Attached is a Zip file:
Pearl UK Summer Offer Sheet 2015.zip
Inside the Zip is a Windows Executable:
Pearl UK Summer Offer Sheet 2015.exe

Sha256 Hash:
7f8dd1fd3e0d4cae2ddca058eb71015a608bed1486977ac178c5c3b2cf8c3668   [1]

Malware Information:

VirusTotal Report [1] (hits 0/57 Virus Scanners)
Malwr Report [1]
Hybrid Analysis Report: [1]

Summary:
  • Steals private information from local Internet browsers
  • Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
  • Creates an Alternate Data Stream (ADS)
  • Installs itself for autorun at Windows startup


Cheers,

Steve
Sanesecurity.com

Netflix account requires verification phish

Netflix account requires verification phish

Headers:
From: "Netflix"{lateluxury@email.secretescapes.com}
Subject: Netflix account requires verification
Message body:
Dear Customer,
We recently failed to validate your payment information we hold on record for your account, therefore we need to ask you to complete a brief validation process in order to verify your billing and payment details.
Click here to verify your account
Failure to complete the validation process will result in a suspension of your netflix membership.
We take every step needed to automatically validate our users, unfortunately in this case we were unable to verify your details. The process will allow us to maintain our high standard of account security.
Netflix Support Team
The above link will take you to a fake phishing site (currently down)
http://nefixx.co.uk/
The domain details are...
Domain name:
        nefixx.co.uk

    Registrant:
        Dave Cregan

    Registrant type:
        Unknown

    Registrant's address:
        166 Dunkery Road
        London
        London (City of)
        SE9 4HS
        United Kingdom

    Data validation:
        Registrant contact details validated by Nominet on 18-Feb-2015

    Registrar:
        Crazy Domains FZ-LLC [Tag = CRAZYDOMAINS-AE]
        URL: http://www.crazydomains.com

    Relevant dates:
        Registered on: 18-Feb-2015
        Expiry date:  18-Feb-2017
        Last updated:  18-Feb-2015

    Registration status:
        Registered until expiry date.

    Name servers:
        ns1.crazydomains.com
        ns2.crazydomains.com

    WHOIS lookup made at 11:48:43 27-Feb-2015

Cheers,

Steve
Sanesecurity.com

Purchase Order Copy malware

Purchase Order Copy malware...
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Message Headers:
Subject: Purchase Order Copy

Message Body:

Dear Sir,
 
Kindly find attached Purchase Order Copy and Dispatch Order at earliest,  Advance Payment will be made against  Invoice, Also mention our PO No, in your invoice. 

Thanks!

Depeek

(Senior Marketing Officer) 
    
Walmartsorest PVT Ltd
Global Business
New Delhi - 641476 


Sent from Samsung Mobile


​​
Download Attachment As zip
Link downloads the following 7z archive file...

http://www.smsfreeportal.com/purchase_order_copy/nnamdiuyor2/Purchase%20Order%20Copy_pdf.7z
Inside the file is a windows executable (very well hidden...Yikes)
(1) Purchase Order Copy.pdf ___________________ (2) DispatchingTime and Address.pdf ____
___________________ _____ Adobe Reader.pdf or in .exe

Sha256 Hashes:
5aec64d47addd191d82a7817ee781fc53991060945fad1cf9f2430b91f501610 [1]

Macro document information:

VirusTotal Report [1] (hits 21/57 Virus Scanners)

Malwr Report [1]

Hybrid Analysis Report [1]

NOTE

The current round of Word and Excel attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))
Cheers,

Steve

Delivery for package canadapost.ca Failed

Delivery for package canadapost.ca Failed is a macro enabled word document containing malware...
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Message Headers:
From: {no_reply@canadapost.ca}
Subject: Delivery for package # 7036733030540492 - Failed

Message Body:

Dear client,   
  
An unsuccessful delivery attempt was made for the parcel you are expecting ( tracking # 7036733030540492 ).  
The shipment status has changed to "Failed", because no person was present at the receiving address.  
Attached to this notification you will find the Delivery Notice Card, needed to reschedule the delivery.  
  
  
Label/Tracking Number: 7036733030540492  
Delivery Date: 26 February 2015  
Status: Failed  
Reason: No person present at delivery address  
Action: Delivery Notice Card e-copy sent  
  
The parcel can be picked up or scheduled for a new delivery, by visiting the nearest Canada Post office, with a printed copy of the attached Delivery Notice Card.  
  
The shipment will be canceled and the parcel returned to the sender, if a new delivery is not scheduled within 48 hours.  
  
  
Thank you
  
  
© 2015 Canada Post Corporation  
  
*** Do not reply, this email has been automatically generated ***
Attached filename:

delivery_trk_7036733030540492.doc

Sha256 Hashes:
a26b29999d895a876bb15de25d82a7cfb151032dad08adf0668aa27aae16c076 [1]

Macro document information:

VirusTotal Report [1] (hits 11/57 Virus Scanners)

Malwr Report [1]

Hybrid Analysis Report [1]

NOTE

The current round of Word and Excel attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))
Cheers,

Steve

Dennys Invoice INV650988

Dennys Invoice INV650988 word document malware now arriving...

Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Message Headers:
From: accounts@dennys.co.uk
Subject: Dennys Invoice INV650988

Message Body:

To view the attached document, you will need the Microsoft Word installed on your system.
Attached filename:

INV650988.DOC

Sha256 Hashes:
42efc98ed3f157b3a607a768e49f00f28a5f3eaeac167b9f7007a5510e3d8aec [1]
52b7b0d92df51b445e3cd3e23079c6fbecd541c5c07bca03ba3915393b5dac65 [2]
3d0b0a0bbfb045ab770e484834818a9520bcb27c389530ea3747dfcac1fc301a [3]

Macro document information:

VirusTotal Report [1] (hits 0/57 Virus Scanners)
VirusTotal Report [2] (hits 0/57 Virus Scanners)
VirusTotal Report [3] (hits 0/57 Virus Scanners)

Malwr Report [1]
Malwr Report [2]
Malwr Report [3]

Sanesecurity signatures are blocking this as: Sanesecurity.Malware.24646.DocHeur

NOTE

The current round of Word and Excel attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))
Cheers,

Steve

Thursday, 26 February 2015

Your Sales Invoice worldwind 131234 zip

Your Sales Invoice worldwind.co.uk arriving with not very good detection rates...

Headers:
From: {donotreply@worldwind.co.uk}
Subject: Your Sales Invoice

Message body:

Your document is attached with our regards.

The document is in PDF format and requires Adobe Reader to view
(obtainable from www.adobe.com)

Attached is a Zip file:
131234.zip
Inside the Zip is a Windows Executable:
131234.exe

Sha256 Hash:
f9a4c6e5f2bac899b95772bb1b380b4a6f376c71b6c14385aa9154197e1a677d  [1]

Malware Information:

VirusTotal Report [1] (hits 4/57 Virus Scanners)
Malwr Report [1]
Hybrid Analysis Report: [1]


Cheers,

Steve
Sanesecurity.com

RA_New.zip NicolaR jhs co uk

RA_New NicolaR@jhs.co.uk now arriving with not very good detection rates...

Headers:
From: {NicolaR@jhs.co.uk}
Subject: RA 590182

Message body:

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
system manager. This message contains confidential information and is
intended only for the individual named. If you are not the named
addressee you should not disseminate, distribute or copy this e-mail.


Attached is a Zip file:
RA_New.zip
Inside the Zip is a Windows Executable:
RA_New.exe

Sha256 Hash:
29a6cca9ecf3007adfcc6a8e18d846630afd0b7a6636660bd26800f0a499ee3e     [1]

Malware Information:

VirusTotal Report [1] (hits 2/57 Virus Scanners)
Malwr Report [1]
Hybrid Analysis Report: [1]


Cheers,

Steve
Sanesecurity.com

Chris Christou Grey Simmonds

Chris Christou Grey Simmonds Copy invoices now arriving....

Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Message Headers: (Note the email address is random)
From: Chris Christou {chris.christou@greysimmonds.co.uk}
Subject: Copy invoices

Message Body:

Hello ,

Please find copy invoices attached as per our telephone conversation.

Kind regards,

Chris

Chris Christou
Credit Control
Grey Simmonds
Cranes Point
Gardiners Lane South
Basildon
Essex SS14 3AP
Tel:  0845 130 9070
Fax: 0845 370 9071
Attached filename:

IGM135809.doc

Sha256 Hashes:
3057d5ffa39796382af4e2f2503c022a66277578fb15b7c663aaa1a8412d453d  [1]
73d0d60b84393ffbc09a94230384772ec688ff2c39a2a4de58ff705b2aa55e50  [2]
a642d34e9ad9720da51eceaebc270fe68b7687f4a1adaff9455686c364b2d4d2 [3]

Macro document information:

VirusTotal Report [1] (hits 0/57 Virus Scanners)
VirusTotal Report [2] (hits 0/57 Virus Scanners)
VirusTotal Report [3] (hits 0/57 Virus Scanners)
Sanesecurity signatures are blocking this as: Sanesecurity.Malware.24646.DocHeur

NOTE

The current round of Word and Excel attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))
Cheers,

Steve

ringcentral New Voice Message from No Caller ID

ringcentral New Voice Message from No Caller ID now arriving with not very good detection rates...

Headers:
From: "notify-uk@ringcentral.com" {notify-uk@ringcentral.com}
Subject: New Voice Message from No Caller ID on 25/02/2015 at 16:25
Message body:


You Have a New Voice Message
From: No Caller ID
Received: 18 December 2014 at 16:25
Length: 00:03
To: 020 3750 0638 * 302 (TAG The Automotive Group Ltd)
To listen to this message, open the attachment or use RingCentral Mobile App (download) to have instant access to all your messages on the go.
Thank you for using RingCentral.


Attached is a Zip file:
fax_2342.zip
Inside the Zip is a Windows Executable:
NoCallerID-1218-162550-153?.wav.exe

Sha256 Hash:
843c890b197dc780ea7b3c85688b6b11f8594083d2de055dce21fd1427ec0379   [1]

Malware Information:

VirusTotal Report [1] (hits 0/57 Virus Scanners)

Malwr Report [1]

Hybrid Analysis Report [1]
 Summary:
* Starts servers listening on 0.0.0.0:80
* Performs some HTTP requests
* Steals private information from local Internet browsers
* Collects information to fingerprint the system (MachineGuid, DigitalProductId,   SystemBiosDate)
* Installs itself for autorun at Windows startup

Downloads from:

http://webmail.npkstt.ru/java/ bin .exe
http://decapitated.cba.pl/java/ bin .exe
http://elsi.homepage.t-online.de/java/ bin .exe

Sha256 Hash:

c56a46575f00e527844ea393c50aa58500dda94088c34489559b610200ba756b [2]

VirusTotal Report [2]
Malwr Report [2]



    Cheers,

    Steve
    Sanesecurity.com

    Wednesday, 25 February 2015

    eFax message from POTS modem 2

    eFax message from POTS modem 2...

    Headers:
    From: {message@inbound.efax.com}
    Subject: eFax message from "POTS modem 2 " - 1 page(s), Caller-ID: 1-630-226-2563
    Message body:


    Attached is a Zip file:
    fax_2342.zip
    Inside the Zip is a Windows Executable:
    fax_2342.exe

    Md5 Hashes:
    436da4d7aee7f8f4a8806b14b376cecf    [1]

    Malware Information:

    VirusTotal Report [1] (hits 12/57 Virus Scanners)

    Malwr Report [1]

    Hybrid Analysis Report [1]
    Description:
    The malware in the zip is a trojan downloader largely referred to as Upatre. 

    This downloader will then probably download it's parter in crime
    Dyre.

    Dyre, is Zeus-like banking Trojan, which is trying to capture as much information about your online banking details as possible.

    It's also being used to then send out the same malware to everyone else by using your own copy of outlook and your bandwidth.


    Cheers,

    Steve
    Sanesecurity.com

    Recently, there's been activity in your account that seems unusual compared to your normal account activities Paypal

    Recently, there's been activity in your account that seems unusual compared to your normal account activities... PayPal phishing emails are arriving.

    Headers:
    From: "PayPal" {alyssa@sbcglobal.net}
    Subject: Recently, there's been activity in your account that seems unusual compared to your normal account activities.
    Message body:
    Log in to PayPal to resolve a limitation on your account
    Dear Customer,

    Recently, there's been activity in your account that seems unusual compared to your normal account activities. Please log in to confirm your identity and update your account information.

    To help protect your account, no one can send money or withdraw money. In addition, no one can close your account, send refunds, remove any bank accounts, or remove credit cards.

    What's going on?
    We're concerned that someone is using your account without your knowledge. Recent activity on your account seems to have occurred from a suspicious location or under circumstances that may be different than usual.

    What do I do?
    Log in to your account as soon as possible. We may ask you to confirm information you provided when you created your account to make sure that you're the account holder.
    update your information

    What's next?
    Once you've completed all the tasks, we'll remove all restrictions immediately.

    The Fake Paypal link:
    http://radhakrishnamandirbd.com/meeor

    Once you arrive at the fake site, you are asked to log in:


    Best stay away :)

    Cheers,

    Steve
    Sanesecurity.com

    eFax Report INCOMING FAX REPORT efax-reports.com

    eFax Report INCOMING FAX REPORT efax-reports.com

    Headers:
    From: "eFax Report" {noreply@efax-reports.com}
    Subject: eFax Report
    Message body:
    *************************************************************
    INCOMING FAX REPORT
    *************************************************************

    Date/Time: Thursday, 25.02.2015
    Speed: 169bps
    Connection time: 07:03
    Page: 8
    Resolution: Normal
    Remote ID: 591-748-174699
    Line number: 4
    DTMF/DID:
    Description: Internal only

    http://greenland-spb.ru/p5s8xo/373ax.html

    *************************************************************
    
    

    The link above...
    http://greenland-spb.ru/p5s8xo/373ax.html

    If clicked... will auto-download a zip file...
    FAX-id9123912481712931.zip
    Inside the Zip is a Windows Executable (scr file):
    FAX-id9123912481712931.scr


    Md5 Hashes:
    d3622fadfae34b9a70d5308230769706   [1]

    Malware Information:

    VirusTotal Report [1] (hits 2/48 Virus Scanners)

    Malwr Report [1]

    Hybrid Analysis Report [1]

    Cheers,

    Steve
    Sanesecurity.com

    Tracey Smith AquAid Card Receipt Word doc malware

    Tracey Smith AquAid Card Receipt macro downloader.... just an update on the malware that the macro downloads.

    Download location:
    jacekhondel.w.interia.pl/js/bin.exe
    Downloaded bin.exe information...
    Md5 Hash:  244729de906a7f31af9827e2f04c4972 [1]
    VirusTotal Report: [1] scores 3/57 Detections
    Malwr Report [1]

    Summary:
    • Starts servers listening on 0.0.0.0:80
    • Performs some HTTP requests
    • The binary likely contains encrypted or compressed data.
    • Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
    • Creates a slightly modified copy of itself
    • Installs itself for autorun at Windows startup

    Hybrid Analysis Report [1]

    Cheers,

    Steve
    Sanesecurity.com

    PODATKI ZA MIESIĄC malware

    PODATKI ZA MIESIĄC incoming malware

    Headers:
    Subject: Re: PODATKI ZA 01/2015
    Message body:
    Witam,
    PODATKI ZA MIESIĄC 01 /2015 WYNOSZĄ:

    VAT 7-3712,00
    PIT 5-2469,00
    
    

    There's a Zip file attached to the email:
    PODATKI012015DOC.doc.zip

    Inside the Zip file is a PIF file (Note: the double extension trick: dangerous executable:
    PODATKI012015DOC.doc.exe
    Md5 Hashes:
     f96e3b67e37b5ae2be895b35c1574d06    [1]

    Malware Information:

    VirusTotal Report [1] (hits 0/56 Virus Scanners)

    Malwr Report [1]

    Hybrid Analysis Report [1]

    Cheers,

    Steve
    Sanesecurity.com

    Tracey Smith Card Receipt AquAid

    Tracey Smith Card Receipt AquAid are back once again and trying to trick you into opening a word document, containing a malicious macro.

    Note
    It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

    It's not advised to ring them as there won't really be anything they can do to help you.

    Message Headers: (Note the email address is random)
    From: "Tracey Smith" {nj.sales@mcmaster.com}
    Subject: Card Receipt

    Message Body:

     Hi

    Please find attached receipt of payment made to us today

    Regards

    Tracey
    Tracey Smith| Branch Administrator
    AquAid | Birmingham & Midlands Central
    Unit 35 Kelvin Way Trading Estate | West Bromwich | B70 7TP
    Telephone:        0121 525 4533
    Fax:                  0121 525 3502
    Mobile:              07795328895
    Email:               tracey.smith@aquaid.co.uk

    AquAid really is the only drinks supplier you will ever need with our huge product range. With products ranging from bottled and mains fed coolers ranging up to coffee machines and bespoke individual one off units we truly have the right solution for all environments. We offer a refreshing ethical approach to drinks supply in that we support both Christian Aid and Pump Aid with a donation from all sales.  All this is done while still offering a highly focused local service and competitive pricing. A personalised sponsorship certificate is available for all clients showing how you are helping and we offer £25 for any referral that leads to business.

    *********************************************************************
    AquAid Franchising Ltd is a company registered in England and Wales with registered number 3505477 and registered office at 51 Newnham Road, Cambridge, CB3 9EY, UK. This message is intended only for use by the named addressee and may contain privileged and/or confidential information. If you are not the named addressee you should not disseminate, copy or take any action in reliance on it. If you have received this message in error please notify the sender and delete the message and any attachments accompanying it immediately. Neither AquAid nor any of its Affiliates accepts liability for any corruption, interception, amendment, tampering or viruses occurring to this message in transit or for any message sent by its employees which is not in compliance with AquAid corporate policy.
    Attached filename:

    CAR015 129011.xls

    Md5 Hashes:
    2fe17364f2e61b365ae024a9d3eaba8f  [1]
    33c5ad38ad766d4e748ee3752fc4c292 [2]
    d46eb50cacee7e95b8371ea6e274c9fe [3]

    Macro document information:

    VirusTotal Report [1] (hits 0/57 Virus Scanners)

    VirusTotal Report [2] (hits 0/57 Virus Scanners)
    VirusTotal Report [3] (hits 0/57 Virus Scanners)

    Malwr Report [1]
    Malwr Report [2]
    Malwr Report [3]
    Sanesecurity signatures are blocking this as: Sanesecurity.Malware.24646.DocHeur

    NOTE

    The current round of Word and Excel attachments are targeted at Windows users.

    Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

    The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

    However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

    Currently these attachments try to auto-download Dridex, which is designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))
    Cheers,

    Steve

    Your LogMeIn Pro payment receipt

     Your LogMeIn Pro payment has been processed! logmein_pro_receipt.xls emails are being spammed containing a word/excel document with embedded macro.

    These emails aren't from LogMeIn at all, they just being used to make the email look more genuine, ie. from a real company.
    Note
    It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

    It's not advised to ring them as there won't really be anything they can do to help you.

    Message Header:

    From: "LogMeIn.com" {no_reply@logmein.com}
    Subject: Your LogMeIn Pro payment has been processed!
    Message Body:
    Dear client,

    Thank you for purchasing our yearly plan for LogMeIn Pro on 25 computers.
    Your credit card has been successfully charged.

    Date : 17/2/2015
    Amount : $999 ( you saved $749.75)

    The transaction details can be found in the attached receipt.
    Your computers will be automatically upgraded the next time you sign in.

    Thank you for choosing LogMeIn!
     Attachment:

    logmein_pro_receipt.xls
    Md5 Hashes:
    2fe17364f2e61b365ae024a9d3eaba8f  [1]
    33c5ad38ad766d4e748ee3752fc4c292 [2]
    d46eb50cacee7e95b8371ea6e274c9fe [3]

    Malware Macro document information:

    VirusTotal Report [1] (hits 0/57 Virus Scanners)

    VirusTotal Report [2] (hits 0/57 Virus Scanners)
    VirusTotal Report [3] (hits 0/57 Virus Scanners)

    Malwr Report [1]
    Malwr Report [2]
    Malwr Report [3]


    Sanesecurity signatures are blocking this as:

    Sanesecurity.Malware.24676.DocHeur

    NOTE

    The current round of Word and Excel attachments are targeted at Windows users.

    Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

    The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

    However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

    Currently these attachments try to auto-download Dridex, which is designed to

    steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

    Cheers,
    Steve

    Tuesday, 24 February 2015

    document do confirm "Izabela Pachucka" {pachuckaizabela@arsenalltd.pl}

    document do confirm "Izabela Pachucka" {pachuckaizabela@arsenalltd.pl} being spammed containing a word/excel document with embedded macro.

    These emails aren't from the above company at all, they just being used to make the email look more genuine, ie. from a real company.
    Note
    It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

    It's not advised to ring them as there won't really be anything they can do to help you.

    Message Header:

    From: "Izabela Pachucka" {pachuckaizabela@arsenalltd.pl}
    Subject: document do confirm
    Message Body:
    Dear customer

    Attached plese find the invoice of January loading. Please sign it, stamp and send me
    back till Monday.

    Thank You in advance


    Izabela Pachucka

    tel. +48-85-747-90-53
    tel. +48 516 010 976
    fax. +48-85-747-90-89

    iza@arsenalltd.pl
    --------------------------------------------------------
    Arsenal LTD Spółka z ograniczoną odpowiedzialnością Spółka Komandytowa

    15-688 Białystok ul.Przedzalniana 6H
    wpisana do Krajowego Rejestru Sądowego prowadzonego
    przez Sąd Rejonowy dla m.Białystok ,XII Wydział Gospodarczy
    pod KRS 0000367679 , o kapitale zakładowym w wysokości
    PLN 15 000 000,00 , o numerze NIP:542-31-83-714,
    numerze Regon:200392749
     Attachment:

    roexport.xls
    Md5 Hashes:
    ff3c3fbeed637cccc7549636b7e0f7cdb [1]
    f037944013dc6074413dc5551d8fc305 [2]
    03b3e2f0e14aa48c124e9814ca3038d7 [3]

    Malware Macro document information:

    VirusTotal Report [1] (hits 0/57 Virus Scanners)

    VirusTotal Report [2] (hits 0/57 Virus Scanners)
    VirusTotal Report [3] (hits 0/57 Virus Scanners)


    Sanesecurity signatures are blocking this as:

    Sanesecurity.Malware.24676.DocHeur

    NOTE

    The current round of Word and Excel attachments are targeted at Windows users.

    Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

    The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

    However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

    Currently these attachments try to auto-download Dridex, which is designed to

    steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

    Cheers,
    Steve

    TOWN OF MT PLEASANT EFT Notification cabarruscounty

    TOWN OF MT PLEASANT, here is your EFT Notification cabarruscounty emails being spammed...

    Headers:
    From: {finance_ap@cabarruscounty.us}
    Subject: TOWN OF MT PLEASANT, here is your EFT Notification

    Message body:
    live-842000_12-17-2014-PE-E.pdf

    There's a Zip file attached to the email:
    live-842000_12-17-2014-PE-E.zip

    Inside the Zip file is a Windows executable:
    live-842000_12-17-2014-PE-E.exe
    Md5 Hashes:
    7e2b202f422ce83cfbd1c153906289a0  [1]

    Malware Information:

    VirusTotal Report [1] (hits 5/57 Virus Scanners)

    Malwr Report [1]

    Hybrid Analysis Report [1]

    Cheers,

    Steve
    Sanesecurity.com