Malware: Cotacao solicitada (relatorio.scr)

We have received a suspicious email:

Received: from unknown (HELO userb) (***@globaltires.es@177.0.120.119)
Subject: Cotacao solicitada.
MIME-Version: 1.0
Date: Sat, 11 Feb 2012 17:56:37 -0300

Email message is in HTML and the page source looks like:

HTML Page Source

As you can see, from this code:

<A href="hxxp://groupnetvect .co.de">relatorio1379-pdf.</A> (63kb)<BR>

The A HREF link redirects the user to an external (malicious) website:

hxxp://groupnetvect .co.de

Domain details:

The website groupnetvect .co.de is hosted at Hetzner Online AG and its current IP address is 78.46.102.86 (www8.subdomain.com). The server machine is located in Germany (DE) and in the same server there are hosted other 1 websites. The domain is registered with the suffix CO.DE and the name groupnetvect. The organization is Hetzner Online AG.

URLVoid report:

http://www.urlvoid.com/scan/roupnetvect .co.de

HTTP response:

HTTP/1.1 302 Found
Date: Sun, 12 Feb 2012 13:01:07 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Location: hxxp:// consumer-electronics .junderhilltherapy .com//wp-content/themes/aurora/options-link.php
Vary: Accept-Encoding
Content-Length: 21
Content-Type: text/html; charset=iso-8859-1

The user is redirected again to another external (malicious) link:

hxxp:// consumer-electronics .junderhilltherapy .com//wp-content/themes/aurora/options-link.php

Domain details:

The website consumer-electronics .junderhilltherapy .com is hosted at HostDime.com and its current IP address is 66.7.193.50 (west.superdomainzone.com). The server machine is located in United States (US) and in the same server there are hosted other 1 websites. The domain is registered with the suffix COM and the name junderhilltherapy. The organization is HostDime.com.

URLVoid report:

http://www.urlvoid.com/scan/consumer-electronics .junderhilltherapy .com

HTTP response:

HTTP/1.1 200 OK
Date: Sun, 12 Feb 2012 13:03:05 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Content-Disposition: attachment; filename="relatorio.scr"
Connection: close
Content-Type: application/log

Now we can see that a file “relatorio.scr” is prompted to be downloaded:

Malicious SCR File

File details:

File: relatorio_scr
Size: 23042 bytes
MD5: BFE2E1EB1C8780149C40FAE98C353BCA
SHA1: 4C69371B15E9738FC663A381C1841315FAC030A0
SHA256: 2DF1080C551E9603F2B8F197DE62D4A643B12BF31F6D3CEE47C0649037C51CF6
SHA384: E30FBFFAD035E7F35BA62B4C6689438ED9A66C3D2F494F4896387EE89C63E445F9AA07FF0D0BF4D1C84EAE282D3F5040
SHA512: 8D9D7B7D4FBF3ACBF984B88CB027D44E98EE997915E2823D61A882B1FDD6D7DD4F5630B518D2C602649D4D42D74DAF863804924D57AC30E8B0D33161D31F706C

The file is detected by Antivirus as Suspect.Trojan.Generic.FD-1 (ClamAV), Trojan-Banker.Win32.VB!IK (Emsisoft), Trojan-Banker.Win32.VB (Ikarus).

Random Posts

Previous Posts