Today we received a spam email sent on behalf of DHL which pretend to ask us to print a document linked in the email (muidugi) et saada pakk saadetakse meile… jah
Nii abiga @ B0gi_ me seda kontrollida, nii:
Link teatas see email on ilmselt nimetatud häkkinud koduleheküljel:
hxxp://ministerioriodedios.com / ZNOMEAQXQV.php?kättesaamise = 651_1xxxxxx
Klõpsates sellel lingil saad laadida pahatahtlikku zip-fail käivitatava faili, which is masquerating as a Microsoft Word document.
Täitmisfaili nimi on DHL_IT_ID652372_234.exe ja see on releved nagu õelvara lihtsalt mõnest viirusetõrje firmad:
https://www.virustotal.com/file/5a2cc978b52208464f0984cece8040d23a0d7464fe48fa41681b7c97e0220057/analysis/
Avastamine suhe: 6 / 46
Analüüs kuupäev: 2013-01-23 09:24:56 UTC
SHA256: 5a2cc978b52208464f0984cece8040d23a0d7464fe48fa41681b7c97e0220057http://www.threatexpert.com / report.aspx?md5 = 355fda99177a295688c5a0e558f020e9
Fail MD5: 0x355FDA99177A295688C5A0E558F020E9
Faili SHA-1: 0xA3AEA2D5756366111E88963E72E725F2805D1381
Faili: 108.544 bytes
Kui teostatakse see säästab ja näitab txt fail, mis sisaldab mõne juhusliku info:
Kuid, tegelikult, see toimib nagu tilguti ja on lihtsalt üritab pöörduda järgmiste hosts:
hxxp://81.93.248.152:8080
hxxp://109.75.184.192:8080
hxxp://85.214.22.38:8080
hxxp://66.232.145.174:6667
hxxp://82.113.204.228:8080
hxxp://46.4.178.174:8080
hxxp://85.214.50.161:8080
hxxp://88.40.201.187:8080
hxxp://85.197.78.70:8080
hxxp://173.255.203.178:8080
hxxp://72.29.84.159:60000
hxxp://217.11.63.194:8080
hxxp://202.169.224.202:8080
hxxp://80.90.198.43:8080
hxxp://46.163.77.229:8080
hxxp://66.84.10.68:8080
hxxp://190.111.176.13:8080
saatmise järgneva stringi parameeter:
/640039097CF2191E622C4BA5F4E03998EE58D58FDEE1EE4C17E6
0F4AB1B84952E4F2A7637006CCA1B98A70EF33EEBB9DA74E47AA5
9C04844222DAC151FC8C5724555E87E7D99905979A2E01F1A75F7
et alla laadida ohvri arvutisse käivitatava pahatahtliku faili ja mõned seotud DLL:
9ac68f053ceebdf18993a540ce4ac76b.exe
sb215.dll.crp
lite.dll.crp
See pahatahtliku käivitatava peetakse üldnimetuseks pahavara 5 viirusetõrje firmad:
https://www.virustotal.com/file/871f0213c9e9e2b40f4a1d188a6d2615e6a0f4fa20df3c021bc364455b724350/analysis/1358937002/
Avastamine suhe: 5 / 46
Analüüs kuupäev: 2013-01-23 10:30:02 UTC
SHA256: 871f0213c9e9e2b40f4a1d188a6d2615e6a0f4fa20df3c021bc364455b724350http://www.threatexpert.com / report.aspx?md5 = c08baf89f755d40fac488e4811d5977e
Fail MD5: 0xC08BAF89F755D40FAC488E4811D5977E
Faili SHA-1: 0x8BEE9D756DE27C35406496920B37FF5F68C17E58
Faili: 42.488 bytes
ja seda proovida pöörduda järgmiste hosts:
http://whifflepufffournight.net / api / test
http://latestarguments.org / api / test
mis on seotud domeen wikimediasticky.asia mis kujutavad sisäänkirjautumislomake lehe kodulehekülg:
ja see on ühendatud nagu näidatud järgneval robtex pilt:
hxxp://cnet.robtex.com/31.184.244.html
Selline tegevus on juba avastatud erinevad aega threatexpert:
http://threatexpert.com / reports.aspx?leida = api / test&x = 0&y = 0
Samuti, modifying the parameter passed to the malicious hosts listed before it seems that these hosts are hosting various kind of other malwares. A research on the internet confirmed our thesis.
Tegelikult, Me leidsime ka järgmise käivitatav ja pahatahtlike faile:
9ac68f053ceebdf18993a540ce4ac76b.exe
MD5: c08baf89f755d40fac488e4811d5977e
67ad970fbbc4f9b29bfeca40b0b4a54f.exe
MD5: cdc780117ee7a06be3cdfb51c0fff9c0
b2f7e9141eb124ce3152352c5df520f7.exe
MD5: 5b81e4a28dc01ee7635fb70951d0ac14
8138138143481348.exe
MD5: f8b22e6b7aa80ccd13556c3c3a9cdbf2
faa91cf5e79a76602f094ed38fad5872.exe
MD5: 44df1e7f9651ea8acbb060599a4fd945
64cfb0f235abac25d837b660f3e3549b.exe
MD5: 836a2177aa594998130995d817308309
793f1a748b84f99d2b768df44e86a1d1.exe
MD5: ccd264f780f13c1eefd6ca74cc37cc8b
The post Itaalia DHL rämpspostist appeared first on .