The Latest in IT Security

“Your Wire Transfer 82932922 canceled” spam / Payment reeceipt.exe /


This fake wire transfer spam comes with a malicious attachment:

Date:      Tue, 30 Apr 2013 15:27:44 -0500 [16:27:44 EDT]
From:      Federal Reserve [[email protected]]
Subject:      Your Wire Transfer 82932922 canceled

The Wire transfer , recently sent from your bank account , was not processed by the FedWire.
Transfer details attached to the letter.
This service is provided to you by the Federal Reserve Board. Visit us on the web at website
To report this message as spam, offensive, or if you feel you have received this in error, please send e-mail to email address including the entire contents and subject of the message. It will be reviewed by staff and acted upon appropriately 

In this case there is an attachment PAYMENT RECEIPT which contains a malicious executable crafted to look like a Word document called Payment reeceipt.exe . This executable has a so-so VirusTotal detection rate of 29/46.

The malware has the following checksums according to Comodo CAMAS:
Size 371712
MD5 0a3723483e06dcf7e51073972b9d1ef3
SHA1 293735a9fdc7e786b12c2ef92f544ffc53a0a0e7
SHA256 0eb5dd62e32bc6480bae638967320957419ba70330f0b9ad5759c2d3f25753dd

Anubis has a pretty detailed report of what this malware does. In particular, you might want to monitor network traffic to and from (Caucasus Online, Georgia) which seems to be a C&C server. This IP has also been seen here. There are several other IPs involved, but these look like DSL subscribers with dynamic address, so probably a part of a botnet. For the sake of completeness they are:

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments