<div style='background-color: none transparent;'></div>
Home » » Spamvertised 'Uniform Traffic Ticket' and 'FDIC Notifications' Serving Malware - Historical OSINT

Spamvertised 'Uniform Traffic Ticket' and 'FDIC Notifications' Serving Malware - Historical OSINT

The following intelligence brief will summarize the findings from a brief analysis performed on two malware campaigns from August, namely, the spamvertised Uniform Traffic Tickets and the FDIC Notification.

_Uniform Traffic Tickets

Spamvertised attachments - Ticket-728-2011.zip; Ticket-064-211.zip; Ticket-728-2011.zip

Detection rates:
Ticket.exe - Gen:Trojan.Heur.FU.bqW@aK9ebrii -  Detection rate: 37/43 (86.0%)
MD5   : 6361d4a40485345c18473f3c6b4b6609
SHA1  : 50b09bb2e0044aa139a84c2e445a56f01d70c185
SHA256: ca67a14bfed2a7bc2ac8be9c01cb17d5da12b75320b4bad4fe8d8a6759ad9725

Ticket1.exe - Trojan-Downloader.Win32.Small.ccxz - Detection rate: 36/44 (81.8%)
MD5   : e2a2d67b8a52ae655f92779bec296676
SHA1  : ed3df72b4e073ffba7174ebc8cb77b2b7d012cbf
SHA256: 50b104c5f8314327e03b01e7f7c2535d8de7cd9f73f8e16d1364c7fd021a90cc

Upon execution the samples phone back to:
sdkjgndfjnf.ru/pusk3.exe - (responding to the same IP is also survey-providers.info) - AS51630 - Email: admin@sdkjgndfjnf.ru
rattsillis.com/ftp/g.php -;;; - AS41018 - Email: admin@jokelimo.com
rattsillis.com/pusk3.exe -;;; - AS41018 - Email: admin@jokelimo.com

DNS emulation of ns1.lemanbrostm.info reveals two domains belidiskalom.com - - Email: admin@belidiskalom.com and lemanbrostm.info - Email: coz@yahoo.com using the same name server. 

Known MD5 modifications for pusk3.exe at rattsillis.com:

Related binaries and associated MD5 modifications:
rattsillis.com/blood.exe - MD5: 23795cb9b2f5e19eff0df0cf2fba9247; 82b6f18b130a1f0ce1ce928d0980fab0
rattsillis.com/pusk.exe - MD5: 55d8e25bc373a98c5c29284c989953ab; 368c86556e827d898f043a4d5f378fa0; 7411d0d29db91f2625ee36d438eb6ac4; 3ea4e9fd297b3058ebbb360c1581aaac;
rattsillis.com/pusk2.exe - MD5: dae9e7653573478a6b41a62f7cb99c12; b73705c097c9be9779730d801ad098e0; d7952c1e77d7bb250cdfa88e157fb5a8

Known MD5 modifications for pusk3.exe at sdkjgndfjnf.ru: 8672f021e7705b6a8132b7dfc21617cf

sdkjgndfjnf.ru/blood.exe - MD5: 577cf0b7ca3d5bcbe35764024f241fa8; ebf7278a7239378e7d70d426779962ce
sdkjgndfjnf.ru/pusk2.exe - MD5: d9e36e25a3181f574fd5d520cb501d3a
sdkjgndfjnf.ru/pusk.exe - MD5: fce04f7681283207d585561ed91e77b4

sdkjgndfjnf.ru/blood.exe -  MD5: 577cf0b7ca3d5bcbe35764024f241fa8

Detection rate for blood.exe:
blood.exe - Trojan-Spy.Win32.Zbot - 25/44 (56.8%)
MD5   : 577cf0b7ca3d5bcbe35764024f241fa8
SHA1  : 30f542a44d06d9125cdfbdd38d79de778e4c0791
SHA256: 1741ef5d24641ee99b5d78a68109162bebc714c3d19abc37e3d4472f3dcd6f18

_FDIC Notification

Spamvertised attachments: FDIC_Document.zip

Detection rate:FDIC_Document.exe -  Gen:Trojan.Heur.FU.bqW@a45Fklbi - 35/44 (79.5%)
MD5   : 7b5a271c58c6bb18d79cd48353127ff6
SHA1  : 6526b6097df42f93bee25d7ea73f95d2fcc24d3a
SHA256: a09165c71a8dd2a1338b2bd0c92ae07495041ae15592e3432bd50600e6ef2af0

Upon execution phones back to:
rattsillis.com/blood.exe - MD5: 23795cb9b2f5e19eff0df0cf2fba9247; 82b6f18b130a1f0ce1ce928d0980fab0

What's particularly interesting is the fact that both campaigns have been launched by the same cybercriminal, with the same C&C - rattsillis.com also seen in the spamvertised ACH Payment Canceled campaign.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
Share this article :
Copyright © 2011. Dancho Danchev's Blog - Mind Streams of Information Security Knowledge . All Rights Reserved
Company Info | Contact Us | Privacy policy | Term of use | Widget | Advertise with Us | Site map
Template Modify by Creating Website. Inpire by Darkmatter Rockettheme Proudly powered by Blogger