Skip navigation.
Home

oesch's blog

SecureMail?

Finally back at this blog...
Today my spamfilter catched another nice executable!
I got SecureMail ;-)
Ready for some python-based reversing:

phil@vr:~$ python /opt/projects/rem/peframe/peframe.py --auto SecureMail.exe
File Name: SecureMail.exe
File Size: 137728 byte
Compile Time: 2013-01-23 19:05:56
DLL: False
Sections: 5
MD5 hash: 6870fd8fd2b2bedd83e218d9e7e4de8b
SHA-1 hash: 4b7a2c0cee63634907c5ccc249c8cd4c0231f03a
Packer: None
Anti Debug: None
Anti VM: None

File and URL:
FILE: KERNEL32.dll
FILE: USER32.dll
FILE: MSAATEXT.dll
FILE: RASAPI32.dll
URL: None

UPS Spam - Bredolab Trojan - Anubis blind (for once)

WSNPoem again....

This has been running in several waves for many many moons. Has already been mentioned in a blog on OC as well. An early analysis has been published by SecureWorks, which can be found here but not there anymore... Finally, current av seems to kick in with their heuristic techniques (22/35 on virustotal).

Virustotal
Anubis

Another Storm - Amero...

While it was "announced" by the nice folks from sudosecure.net for two days, I finally got my hands on this e-mail, leading to a new storm worm exe:

==
Subject: Amero currency Union is now the reality

The Amero is here hxxp://24.20.59.129/
==

As always, this wave will have several subjects and lots of zombie download-sites...

Virustotal
Anubis
File 2d61e13f42fe432efddf88c987344707

Syndicate content