Author

Topic: Anyone else get this malware email? (Read 1366 times)

sr. member
Activity: 266
Merit: 250
The king and the pawn go in the same box @ endgame
May 27, 2012, 03:40:43 PM
#16
Thank you for adding! I always love new tools in my arsenal
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
May 26, 2012, 10:45:19 PM
#15
http://anubis.iseclab.org/
Anubis: Analyzing Unknown Binaries, rather useful site too Smiley
Cool site! Analysis of this particular sample: http://anubis.iseclab.org/?action=result&task_id=10628d7019a46f47405a49a63bcc93a25

It appears to be a trojan that does keylogging, and installs a reverse shell or VNC-type program. It does 2 DNS lookups and a few http connections, all shown in the report.

Here is the beginning of the text report, not all of it will fit due to forum limits on the amount of text in one post:
Code:
                           ___                __    _                         
         +  /-            /   |  ____  __  __/ /_  (_)____       -\  +         
        /s  h-           / /| | / __ \/ / / / __ \/ / ___/       -h  s\       
        oh-:d/          / ___ |/ / / / /_/ / /_/ / (__  )        /d:-ho       
        shh+hy-        /_/  |_/_/ /_/\__,_/_.___/_/____/        -yh+hhs       
      -:+hhdhyys/-                                           -\syyhdhh+:-     
    -//////dhhhhhddhhyss-       Analysis Report       -ssyhhddhhhhhd\\\\\\-   
   /++/////oydddddhhyys/     ooooooooooooooooooooo     \syyhhdddddyo\\\\\++\   
 -+++///////odh/-                                             -+hdo\\\\\\\+++-
 +++++++++//yy+/:                                             :\+yy\\+++++++++
/+soss+sys//yyo/os++o+:                                 :+o++so\oyy\\sys+ssos+\
+oyyyys++o/+yss/+/oyyyy:                               :yyyyo\+\ssy+\o++syyyyo+
+oyyyyyyso+os/o/+yyyyyy/                               \yyyyyy+\o\so+osyyyyyyo+


[#############################################################################]
    Analysis Report for Invitation of Ecurrency Conference.xls.scr.xls
                   MD5: 9c1f40c32a7f32c7e59396986098afef
[#############################################################################]

Summary:
    - Write to foreign memory areas:
        This executable tampers with the execution of another process.

    - Packed Binary:
        This executable is protected with a packer in order to prevent it
        from being reverse engineered.

    - Execution did not terminate correctly:
        The executable crashed.

    - Autostart capabilities:
        This executable registers processes to be executed at system start.
        This could result in unwanted actions to be performed automatically.

    - Changes security settings of Internet Explorer:
        This system alteration could seriously affect safety surfing the World
        Wide Web.

    - Performs File Modification and Destruction:
        The executable modifies and destructs files which are not temporary.

    - Spawns Processes:
        The executable produces processes during the execution.

    - Performs Registry Activities:
        The executable creates and/or modifies registry entries.                       
vip
Activity: 980
Merit: 1001
May 26, 2012, 10:24:34 PM
#14
http://anubis.iseclab.org/
Anubis: Analyzing Unknown Binaries, rather useful site too Smiley
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
May 25, 2012, 07:50:20 AM
#13
A form grabber. Interesting.
sr. member
Activity: 266
Merit: 250
The king and the pawn go in the same box @ endgame
May 25, 2012, 01:13:18 AM
#12
It is hiding a trojan. Out of the 32 scans I ran, it only popped up in 2 of them. All the appropriate information is posted in my previous posts links.
legendary
Activity: 4536
Merit: 3188
Vile Vixen and Miss Bitcointalk 2021-2023
May 25, 2012, 01:09:45 AM
#11
It just displayed gibberish when I opened it in Office 2007. Didn't touch any files. Maybe it targets some other vulnerable software.

It's a Win32 executable, not an Office file. The vulnerable software it targets is Windows. Wink
administrator
Activity: 5222
Merit: 13032
May 25, 2012, 12:53:31 AM
#10
It just displayed gibberish when I opened it in Office 2007. Didn't touch any files. Maybe it targets some other vulnerable software.
sr. member
Activity: 266
Merit: 250
The king and the pawn go in the same box @ endgame
sr. member
Activity: 266
Merit: 250
The king and the pawn go in the same box @ endgame
May 24, 2012, 11:10:14 PM
#8
Give me a bit, and I will have a log ready as soon as I run it. Call it my White hat deed of the day...lol

Cant figure out how to make a log at moment, but none of my scans are showing really anything malicious.

multi scanner results

http://metascan.org/result.php?scan=MzkxODYx
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
May 24, 2012, 10:54:22 PM
#7
Truth be told, I ran it on my offline virtual machine, and I have no freaking Idea what it does.
Run it in a VM with Sandboxie, with logging enabled. The Sandboxie logs will tell you all the files and registry objects that the programs touches, whether in a read or a write operation.
sr. member
Activity: 266
Merit: 250
The king and the pawn go in the same box @ endgame
May 24, 2012, 10:36:43 PM
#6
Truth be told, I ran it on my offline virtual machine, and I have no freaking Idea what it does.
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
May 24, 2012, 10:32:05 PM
#5
File ends in .xls.scr.xls. .scr is the same as .exe, used in screensavers but can do anything that a standard executable can do.

EDIT: https://www.virustotal.com/file/b50dd5b511934b97edf77f7611e5b007d330c6adfe68adeb167068a20b38409f/analysis/#additional-info

A screensaver miner maybe?

LOL well you are welcome to risk your wallet to find out. Grin Don't say you weren't warned. Kiss
sr. member
Activity: 266
Merit: 250
The king and the pawn go in the same box @ endgame
May 24, 2012, 09:48:42 PM
#4
File ends in .xls.scr.xls. .scr is the same as .exe, used in screensavers but can do anything that a standard executable can do.

EDIT: https://www.virustotal.com/file/b50dd5b511934b97edf77f7611e5b007d330c6adfe68adeb167068a20b38409f/analysis/#additional-info

A screensaver miner maybe?
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
May 24, 2012, 03:05:50 PM
#3
File ends in .xls.scr.xls. .scr is the same as .exe, used in screensavers but can do anything that a standard executable can do.

EDIT: https://www.virustotal.com/file/b50dd5b511934b97edf77f7611e5b007d330c6adfe68adeb167068a20b38409f/analysis/#additional-info
donator
Activity: 826
Merit: 1060
May 24, 2012, 02:29:54 PM
#2
I got it too. I deleted it without clicking, so I don't know where the link goes.
administrator
Activity: 5222
Merit: 13032
May 24, 2012, 02:24:27 PM
#1
I received this file via email. I suspect it is malware -- possibly a wallet-stealer. Did anyone else get this?

http://www5.zippyshare.com/v/12732912/file.html (Warning: probable malware)

Quote from: Email
Invitation to ecurrency conference.

http:// asiaelektronik.com/docs/processdl.html

Please let us know if you interested.

Thanks & Regards

The ecurrency part makes me think it's targeted to Bitcoin users.
Jump to: