Malware Email: “BTC-e codes for pisto1wf1” / [email protected]

This morning I received the following email from “Barton Norman” ([email protected])

As the attachment is password protected with password “qqkz6G52N6uj” it will easily bypass most of the antispam filters as the attachments can’t be scanned. The malicious sample can’t be scanned (encrypted sample has zero VT detections- https://www.virustotal.com/en-gb/file/ab891e0185b6b488d960c1f3445378c1cee28ffe9f50845c657ab16e98f96a43/analysis/1493744207/)

Once we have removed the password, it appears that the word file asks the users to “enable editing mode” in order to “view the documents”

As the file is docx format (Microsoft Word version 2007 and above) is effectively an archive. Therefore renaming the sample to zip and extracting the content would allow us to analyze the malicious scripts (*.bin files under word/embeddings path)

The decrypted word file is detected by 5/58 AV engines (VT) whereas all bin files under “word/embedding/” are actually the same file (file hash : dfb06da5c8cd9857720cb980c6085eac with only 2/55 VT detections) – I have uploaded the sample (Office Doc Part.vbs) to pastebin.   Alternatively ,the same script can be extracted by “drag and drop” any of the files below

Running the vbs script in a lab environment , it appears that it makes multiple connections to download Cryptowall v3 samples

Examples of the domains below

ifmgcc[.]com/license.txt – Executable is XOR’ed with key 68. It is currently detected by 13/61 AV engines(https://www.virustotal.com/en-gb/file/37be79295b200ba6e4a4e1cf2529bcad2aa65b206c81a04049e5c4d716d6a60f/analysis/)

91.210.164[.]3/akg.sgr  – Executable is XOR’ed with hex key 6A. It’s is currently detected by 9 / 61 AV engines (https://www.virustotal.com/en-gb/file/48de8cae967e3e06c3237967d878bfa119f59f6e08ad6935620570abb334b915/analysis/)

Share this Story!Email this to someoneShare on Google+0Share on Facebook0Tweet about this on TwitterPin on Pinterest0Share on Reddit0Share on LinkedIn0

Leave a Reply