Malware: Cotacao solicitada (relatorio.scr)
We have received a suspicious email:
Received: from unknown (HELO userb) (***@globaltires.es@177.0.120.119) Subject: Cotacao solicitada. MIME-Version: 1.0 Date: Sat, 11 Feb 2012 17:56:37 -0300 |
Email message is in HTML and the page source looks like:
As you can see, from this code:
<A href="hxxp://groupnetvect .co.de">relatorio1379-pdf.</A> (63kb)<BR> |
The A HREF link redirects the user to an external (malicious) website:
hxxp://groupnetvect .co.de |
Domain details:
The website groupnetvect .co.de is hosted at Hetzner Online AG and its current IP address is 78.46.102.86 (www8.subdomain.com). The server machine is located in Germany (DE) and in the same server there are hosted other 1 websites. The domain is registered with the suffix CO.DE and the name groupnetvect. The organization is Hetzner Online AG.
URLVoid report:
http://www.urlvoid.com/scan/roupnetvect .co.de
HTTP response:
HTTP/1.1 302 Found Date: Sun, 12 Feb 2012 13:01:07 GMT Server: Apache X-Powered-By: PHP/5.3.6 Location: hxxp:// consumer-electronics .junderhilltherapy .com//wp-content/themes/aurora/options-link.php Vary: Accept-Encoding Content-Length: 21 Content-Type: text/html; charset=iso-8859-1 |
The user is redirected again to another external (malicious) link:
hxxp:// consumer-electronics .junderhilltherapy .com//wp-content/themes/aurora/options-link.php |
Domain details:
The website consumer-electronics .junderhilltherapy .com is hosted at HostDime.com and its current IP address is 66.7.193.50 (west.superdomainzone.com). The server machine is located in United States (US) and in the same server there are hosted other 1 websites. The domain is registered with the suffix COM and the name junderhilltherapy. The organization is HostDime.com.
URLVoid report:
http://www.urlvoid.com/scan/consumer-electronics .junderhilltherapy .com
HTTP response:
HTTP/1.1 200 OK Date: Sun, 12 Feb 2012 13:03:05 GMT Server: Apache X-Powered-By: PHP/5.2.17 Content-Disposition: attachment; filename="relatorio.scr" Connection: close Content-Type: application/log |
Now we can see that a file “relatorio.scr” is prompted to be downloaded:
File details:
File: relatorio_scr Size: 23042 bytes MD5: BFE2E1EB1C8780149C40FAE98C353BCA SHA1: 4C69371B15E9738FC663A381C1841315FAC030A0 SHA256: 2DF1080C551E9603F2B8F197DE62D4A643B12BF31F6D3CEE47C0649037C51CF6 SHA384: E30FBFFAD035E7F35BA62B4C6689438ED9A66C3D2F494F4896387EE89C63E445F9AA07FF0D0BF4D1C84EAE282D3F5040 SHA512: 8D9D7B7D4FBF3ACBF984B88CB027D44E98EE997915E2823D61A882B1FDD6D7DD4F5630B518D2C602649D4D42D74DAF863804924D57AC30E8B0D33161D31F706C |
The file is detected by Antivirus as Suspect.Trojan.Generic.FD-1 (ClamAV), Trojan-Banker.Win32.VB!IK (Emsisoft), Trojan-Banker.Win32.VB (Ikarus).
Leave a Reply