bartblaze

Kuluoz malware spam

Apr 30th, 2014
707
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Background:
  2. ================================================================================
  3. Kuluoz malware, fake USPS mail with link to download of ZIPfile, which includes an EXE with Word icon
  4.  
  5.  
  6. Mail content info:
  7. ================================================================================
  8. Notification
  9. Our courier couldnt make the delivery of parcel to you at 20th April 2014.
  10. Print label and show it in the nearest post office.
  11. Print a Shipping Label NOW [http://swingjammerzband.com/lib.php?la=QWxo566d/jEUB0uy18m53DnL7ImocI3XeJOdryabb6c%3D]
  12.  
  13.  
  14. Mail from:
  15. ================================================================================
  16. Authentication-Results: hotmail.com; spf=pass (sender IP is 192.254.198.168) smtp.mailfrom=fbcap@fbcap.org; dkim=none header.d=fbcap.org; x-hmca=pass header.id=help_id72@fbcap.org
  17. X-SID-PRA: help_id72@fbcap.org
  18. X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtHRD0yO1NDTD02
  19. Received: from fbcap.org ([192.254.198.168])
  20. Subject: Delivery Notification
  21. X-PHP-Originating-Script: 10003:6bf60n.php
  22. From: "Expedited Shipping" <help_id72@fbcap.org>
  23. X-Mailer: SuperMail-2
  24. Reply-To: "Expedited Shipping" <help_id72@fbcap.org>
  25. Mime-Version: 1.0
  26. Return-Path: fbcap@fbcap.org
  27.  
  28.  
  29. Cause & solution:
  30. ================================================================================
  31. Spoofed mail address for fbcap.org
  32. fbcap.org details - 192.254.198.168 - http://www.ipvoid.com/scan/192.254.198.168/
  33. Solution: set SPF record on mailserver and scan for malware
  34.  
  35.  
  36. Malware meta-data:
  37. ================================================================================
  38. File: USPS_Label_BE.exe
  39. Size: 135680 bytes
  40. Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
  41. MD5: 4d096e41d01f00403337ea06cbb08830
  42. SHA1: d0992ee359c696d63bb2bb0d975e7cb35217a332
  43. ssdeep: 3072:fNeEY5D88/C4KvLidifcZo5xvx4qKNHkFhi2uO4J9nZtpc:VeEY5DdP0yoFKh8w7Zt
  44. Date: 0x53609EB8 [Wed Apr 30 06:56:56 2014 UTC]
  45. EP: 0x4031a7 .text 0/4
  46. CRC: Claimed: 0x0, Actual: 0x267ea [SUSPICIOUS]
  47. VirusTotal: https://www.virustotal.com/en/file/3e627a4758fe2a2a154dad4ec8286e2a2338b78490ec77ce48b5fe3c35d77945/analysis/
  48. Microsoft info: http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2FKuluoz#tab=1
  49.  
  50.  
  51. Callbacks - infected hosts:
  52. ================================================================================
  53. 147.102.154.192 - http://www.ipvoid.com/scan/147.102.154.192 - Greece
  54. 94.247.177.16 - http://www.ipvoid.com/scan/94.247.177.16 - France
  55.  
  56.  
  57. Gathered network traces - PCAP:
  58. ================================================================================
  59. POST /460326245047F2B6E405E92260B09AA0E35D7CA2B1 HTTP/1.1
  60. Accept: */*
  61. Content-Type: application/x-www-form-urlencoded
  62. User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
  63. Host: 94.247.177.16:8080
  64. Content-Length: 311
  65. Cache-Control: no-cache
  66. \x80\x00\x00\x0040\x92\xa2\\xce\xa1\x8b\x83\x94\xe2G3\xc6M\xb6\x01\x84\x19\x8b\x8c\xd4\xef\x8f\x84\xfb\xef\xf8\xc2q\xc1f\x9byu\xd2\xa0<H\xfa\xf5Q\x8a\xca\x8e\xaa2\xfc\xe6zS\xfc\x9d\x8a\xf4\xda\x92\xf2\xda\x11\x95!r\xa10Rj\x10.\x01\x03\x8b\xd5\xe3\xf9\xba\xda\x7f\x9f[@3m\xb7\x81:\x16\x91\x7f\x85\x95\xdf\x02-7Jmj\x80\xdf\x92\xc1a\xa1\xdf\xda\xa6\xcc{\xf2\x8c\x86\x15\xc8+\xbe\x93z\xb1\xe9d=)\xf2D\xabyw\xaf\x00\x00\x00\xa3"\xfa\xecO*\xd8\x93\xdf\x9b\x86K\x9e\x99\xd4\xa9{\x92\xfd\xfa\x13\x0c\x95\xe4\xc2k\x9a\xb6a\x99\x94\xae\x02VjFX\xcbr\xa3\xb6<\x83\xd1\xcd\xa8\x06\xbb3[\x7f[\xa1T\xfdu\xe3\x99\xb5\x90i\x00\xb0~\xea$j\xa2\xadD\x81.\x98\x18-\xb5q\x8c[\x19r(G\xbfN\xd0\x85\xe9o#fz\xca\xe2\x8d\xf2o^<N\x0c\x05>x\xdd\xa6\xcdN\xa1\x9f#=\xc8\xe5\x82\xe5\xcc\xf1!%s\xcc\x94\xec\x88/\xfe\x1d=\xffa5\x8b\x8d\xcf\x1fT"5Y\x87O\x07\xff\xc5\xf4\x8c_\xe7{!^\x8a\x0c
  67. 4\x80\x1f
  68. %q\xdd\xe9\xdba\x84j\xc7\x83c\x0e\x08<\xa7
  69.  
  70. Auto-scan results:
  71. https://www.networktotal.com/search.php?q=67788cb9f2e58a188fdaf7b4de98ebdc&pmd5=ae604c80e86915bec7a884b7361b944c
  72. https://www.virustotal.com/en/file/6b65a551477b3d0cedeb84d25892998eb1f5fd880f69bb1f2acc78d963cb9810/analysis/1398859559/
  73.  
  74. ================================================================================
  75. @bartblaze
  76. #malwaremustdie
RAW Paste Data