Re-Confirmation Malware

2nd February 2017 | By admin

Comodo Threat Research Labs

[28 Jan 2017] – [Re-Confirmation Malware] SUBJECT: [Confirm Shipping Documents and BL]

Comodo Threat Research Labs (CTRL) identified a new phishing email, that contains a malware file, and spread to email user with subject “Confirm Shipping Documents and BL”.

ASSOCIATED FILES

ZIP archive of the malware: [28 Jan 2017] – [Re-Confirmation Malware] 455KB (466,944 bytes)

  • 27680-1485476430-126622.eml 310 KB (319,488 bytes)
  • Shipping Docs-BL.exe 272 KB (278,528 bytes)
  • d41d8cd9-8f00-b204-e980-0998ecf8427e.rar 1.0KB (188 bytes)

THE EMAIL

reconfirmation malware email

EMAIL DATA

Received: from unknown (HELO mail.pomicro.com) (72.249.151.160) by with SMTP; 27 Jan 2017 00:20:31 -0000
Received-SPF: unknown (0: domain at spf-trusted-fwd1.surgate.net does not
designate permitted sender hosts)
Received: from LTSERVER.CT.local (rrcs-71-43-104-10.se.biz.rr.com [71.43.104.10]) by mail.pomicro.com (Postfix) with ESMTPA id 60ABF4550270;
Thu, 26 Jan 2017 14:34:11 +0500 (PKT)
MIME-Version: 1.0
Subject: Confirm Shipping Documents and BL
From: “Shenzhen Flying Logistics Co.,Ltd” <felix@cargosafeway.ph>

THE ATTACHMENT

reconfirmation malware attachment

ATTACHMENT AND EXTRACTED .Exe FILE

reconfirmation malware email attachment

File Name : Shipping Docs-BL.zip 222.0 KB (229,376 bytes)
MD5 hash : 7B7473257022914580A3223411F20BBD
SHA1 hash : 4386E86F2EC1278A1E6C124DB03F0B0F739EFCA9
SHA256 hash : 72483E53F2E47678B5CE4B1303A8DDEE7EC80DDFA1360AF28CBE4A05A76ECEB3

File Name : Shipping Docs-BL.exe 272 KB (278,528 bytes)
MD5 hash : 5ABBFEEBF757031CD9AB4D627ABD731F
SHA1 hash : 986732F92BDCA226CEBD7F9ABE0818D4535CEE45
SHA256 hash : 9A148A09DCEC0B194F0F54F5B49DB44F0104854125AF84950A29F165F510B56C

File Name : d41d8cd9-8f00-b204-e980-0998ecf8427e.rar 1.0 KB (188 bytes)
MD5 hash : 633D2823A9E4C44FF7DC48410AE9B275
SHA1 hash : BF14D9A68ECDDE0750A93C207A542D6742412943
SHA256 hash : E27911316627BFEEA5D7207174E2BE0A36F0D7A65329A32A01CF68411CF86A79
TRAFFIC

traffic

ASSOCIATED URLS:

  • 2017-01-31 05:28:56 76.162.154.216 HTTP 731 POST / HTTP/1.1 (application/x-www-form-urlencoded)
  • 2017-01-31 05:29:06 198.41.215.184 HTTP 430 GET /MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQCBwAdAQUUa8kJpz0aCJXg CYrO0ZiFXsezKUCE1oABasbVc1%2F30qkcksAAQAFqxs%3D HTTP/1.1
  • 2017-01-31 05:29:32 188.68.234.146 HTTP 134 POST /Authentication/ HTTP/1.1 (application/x-www-form-urlencoded)
  • 2017-01-31 05:29:41 76.162.154.216 HTTP 695 POST / HTTP/1.1 (application/x-www-form-urlencoded)
  • 2017-01-31 05:30:24 117.18.237.29 OCSP 504 Request
  • 2017-01-31 05:30:25 117.18.237.29 OCSP 504 Request
  • 2017-01-31 05:30:27 76.162.154.216 HTTP 743 POST / HTTP/1.1 (application/x-www-form-urlencoded)
  • 2017-01-31 05:31:13 76.162.154.216 HTTP 699 POST / HTTP/1.1 (application/x-www-form-urlencoded)

DROPPED FILE IMAGE:

dropped file image

FINAL NOTES

Once again, here are the associated files:

ASSOCIATED FILES

ZIP archive of the malware: [28 Jan 2017] – [Re-Confirmation Malware] 455KB (466,944 bytes)

  • 27680-1485476430-126622.eml 310 KB (319,488 bytes)
  • Shipping Docs-BL.exe 272 KB (278,528 bytes)
  • d41d8cd9-8f00-b204-e980-0998ecf8427e.rar 1.0KB (188 bytes)
Be part of an IT community with thousands of subscribers. Get the latest news, blogs, and thought leadership articles. Subscribe now
Email *
Be Sociable, Share!

Add new comment

Your name
Comment

You may use these HTML tags and attributes: <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>