Trojaner Warnung: Telekom E-Mail Betreff: RechnungOnline Monat Mai 2014, Buchungskonto: 2962325641

by May 14, 2014

Telekom E-Mail mit dem Betreff: RechnungOnline Monat Mai 2014

Telekom E-Mail mit dem Betreff: RechnungOnline Monat Mai 2014


Es tobt derzeit wieder eine neue Phishing Welle.
Zahlreiche Mails mit Telekom Rechnungen oder Vodafone Rechnung (EXE in ZIP) werden derzeit in hauptsächliche deutsche Postfächer geliefert. Betreff ist “Telekom E-Mail mit dem Betreff: RechnungOnline Monat Mai 2014, Buchungskonto: 2962325641” oder “Ihre Rechnung vom 14.05.2014 steht als PDF bereit”.
Erkennungsrate liegt wieder einmal unter 5%.
Die Strings im File sehen stark nach “Cridex” aus, den ich Mitte Januar bereits analysiert habe.
Das sind die derzeitigen Indikatoren of Compromise (IoCs):
C2 Domains
===================
flusegame.eu
flusegames.eu
humpackers.org
interyou.pw
162.220.246.105 (US)
195.168.1.121 (Slowakei)
> brauchbar
USER AGENT
===================
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
‹> unbrauchbar
http://blogs.msdn.com/b/ie/archive/2010/03/23/introducing-ie9-s-user-agent-string.aspx
URL Request
===================
POST /70144646/974aade0/ HTTP/1.1
POST /3af6d48d/ec8a4b32/ HTTP/1.1
‹> brauchbar
Regex: POST \/[0-9a-f]{8}\/[0-9a-f]{8}\/ HTTP\/1\.1
File System
===================
Files Created
VM 1 XP
C:\Documents and Settings\Administrator\Application Data\Microsoft\lmyaudio.exe
736A96BBAD59864F27F3599D88D28EA2
C:\Documents and Settings\Administrator\Application Data\6574676.bat
82E21F407E2161E350B7B90C89BFB6E4
WM 1 Win7
C:\Users\admin\AppData\Roaming\3818398.bat
7815C2E3F3EC32232A8532C298E0458F
C:\Users\admin\AppData\Roaming\Microsoft\hxxshare.exe
736A96BBAD59864F27F3599D88D28EA2
VM 2
%UserProfile%\APPLIC~1\MICROS~1\WWCCOM~1.EXE
VM 3
C:\Documents and Settings\User\Application Data\Microsoft\rqvupdate.exe
736a96bbad59864f27f3599d88d28ea2
C:\DOCUME~1\User\LOCALS~1\Temp\1.tmp
bdb072ca6b6980addcad385462379c21
C:\Documents and Settings\User\Application Data\1478967.bat
e7f01e2614ea2a1202c2c1f04f930343
‹> MD5 brauchbar:
736a96bbad59864f27f3599d88d28ea2
=== Links
Infos
http://www.mimikama.at/allgemein/trojaner-warnung-telekom-e-mail-mit-dem-betreff-rechnungonline-monat-mai-2014-buchungskonto-2962325641-sic/
Virustotal Analyse ZIP
https://www.virustotal.com/en/file/4f54a33986c83dd6459986c730072c8e8b82386de9f517d95d8e2136faabd781/analysis/
Threat Expert Report
http://www.threatexpert.com/report.aspx?md5=eba99ce062c104aae07a4ed39edfe6c3
http://www.threatexpert.com/report.aspx?md5=2989f59501ae96035b8ccdf67f4d0ae0
Analyse Malicious EXE
https://malwr.com/analysis/NTRjNzczYzVlNjE4NGI5NThlZjk4NWUzZjAyMTIyY2Q/
 

About the author:

Florian Roth

Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.

Subscribe to our Newsletter

Monthly news, tips and insights.

Follow Us

Upgrade Your Cyber Defense with THOR

Detect hacker activity with the advanced APT scanner THOR. Utilize signature-based detection, YARA rules, anomaly detection, and fileless attack analysis to identify and respond to sophisticated intrusions.

Recommended Blog Posts