Monday, April 2, 2012

A check from "Christian Liberty Financial"

So I got an e-mail whose subject was that "a check from Christian Liberty Financial" was waiting for me. The body invited me to read the instructions in the attached archive.

The archive's MD5 hash: 8f77b44ce8c386eb79b4c7939c17f13f (Virus total analysis)
The executable in the archive's MD5 hash: a6d4f87e65359acbb1640611d36e4685 (Virus Total analysis)

Upon execution, the executable resolved "bluesbars.ru", did an HTTP connection to it (POST /lampard.php) and retrieved a binary file. A second resolution was done for "timesax.ru", which failed (No such domain).

More information later, when I have had the time to play with it :-)