This fake wire transfer spam comes with a malicious attachment:
Date: Tue, 30 Apr 2013 15:27:44 -0500 [16:27:44 EDT]
From: Federal Reserve [[email protected]]
Subject: Your Wire Transfer 82932922 canceled
The Wire transfer , recently sent from your bank account , was not processed by the FedWire.
Transfer details attached to the letter.
This service is provided to you by the Federal Reserve Board. Visit us on the web at website
To report this message as spam, offensive, or if you feel you have received this in error, please send e-mail to email address including the entire contents and subject of the message. It will be reviewed by staff and acted upon appropriately
In this case there is an attachment PAYMENT RECEIPT 30-04-2013-GBK-75.zip which contains a malicious executable crafted to look like a Word document called Payment reeceipt.exe . This executable has a so-so VirusTotal detection rate of 29/46.
The malware has the following checksums according to Comodo CAMAS:
| Size | 371712 |
| MD5 | 0a3723483e06dcf7e51073972b9d1ef3 |
| SHA1 | 293735a9fdc7e786b12c2ef92f544ffc53a0a0e7 |
| SHA256 | 0eb5dd62e32bc6480bae638967320957419ba70330f0b9ad5759c2d3f25753dd |
Anubis has a pretty detailed report of what this malware does. In particular, you might want to monitor network traffic to and from 78.139.187.6 (Caucasus Online, Georgia) which seems to be a C&C server. This IP has also been seen here. There are several other IPs involved, but these look like DSL subscribers with dynamic address, so probably a part of a botnet. For the sake of completeness they are:
64.231.249.250
69.183.226.70
78.139.187.6
81.133.189.232
123.237.234.67
Leave a reply
