New Banker Trojan on the block

Fifteen minutes ago we detected this new spam message in circulation that appears to come from Carrington Mortgage Services LLC. The message informs the recipient that a payment of $8844.80 has been made from their checking account to this mortgage company. In addition the user is asked to download a .ZIP file containing an invoice of this payment (this is a Banker Trojan). However, what’s interesting about this particular spam message is that it forces the user to enter a password of “invoice” to decrypt the file, likely a strategy to defeat gateway scanners.

http://www.virustotal.com/analisis/41fd93b5162dfee0fbe1ba2c9f8bef13

When the attachment is opened, an executable is present appearing to look like an Excel document (when someone has the option in Windows to hide extensions of known file types, it could easily appear to someone as an Excel doc).

http://www.virustotal.com/analisis/9bbd70534bda2fba064c3a04e9f1e3fe

File size: 58368 bytes
MD5…: eead764389f7e2b1939d147b198443a3
SHA1..: 94332eb2ead4bc9464ae1108ea2ab2b3c60d824b
SHA256: 74492a5d2e571ff6eae2f3ed913f372ab9620778c4ad522895d3aa805d1688f7
SHA512: 92ef95984fdd1db26f526c17ce897e2898858ca8410f3c0a39636ebdf0b852c6
35a2122adb4809d23363956008fae04f1071f94d7ad1afcae2834a48615a8262
PEiD..: –
PEInfo: PE Structure information( base data )
entrypointaddress.: 0x40107d
timedatestamp…..: 0x4806e3fb Thu Apr 17 05:45:31 2008
machinetype…….: 0x14c (I386)( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1010 0x1200 2.80 2b47bcb94b4842dbad7d705a4edde293
.data 0x3000 0x22b9b 0xc800 7.60 ded2450cbafedda4dfe1d972a0e701f2
.reloc 0x26000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x27000 0x1000 0x600 4.66 0552eaf398afb9100b608d74807bcad7

( 1 imports )
> gdi32.dll: GetClipBox, GetBitmapBits, CreateDIBSection, SetTextColor, GetPixel, CreateDIBitmap, GetBrushOrgEx, CreateBitmap, CreateFontIndirectA, ExcludeClipRect

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: