Finally back at this blog...
Today my spamfilter catched another nice executable!
I got SecureMail ;-)
Ready for some python-based reversing:
phil@vr:~$ python /opt/projects/rem/peframe/peframe.py --auto SecureMail.exe
File Name: SecureMail.exe
File Size: 137728 byte
Compile Time: 2013-01-23 19:05:56
MD5 hash: 6870fd8fd2b2bedd83e218d9e7e4de8b
SHA-1 hash: 4b7a2c0cee63634907c5ccc249c8cd4c0231f03a
Anti Debug: None
Anti VM: None
File and URL:
This has been running in several waves for many many moons. Has already been mentioned in a blog on OC as well. An early analysis has been published by SecureWorks, which can be found here but not there anymore... Finally, current av seems to kick in with their heuristic techniques (22/35 on virustotal).
While it was "announced" by the nice folks from sudosecure.net for two days, I finally got my hands on this e-mail, leading to a new storm worm exe:
Subject: Amero currency Union is now the reality
The Amero is here hxxp://126.96.36.199/
As always, this wave will have several subjects and lots of zombie download-sites...