Another poorly-detected executable file spam attachment (May 14, 2014)

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

First and only scan by VT about 70 minutes before my submission,
detection rate was 2/52 at that time.

Current scan:

https://www.virustotal.com/en/file/bff969bec8e3f83de5c3d8bf5f612ee2331d7789fb2275a4645ee0ba6ff76ad9/analysis/1400068941/

4/53 (really just 3/53 because TrendMicro = TrendMicro-Housecall)

   Sophos               Mal/Generic-S
   TheHacker            Posible_Worm32
   TrendMicro           PAK_Generic.005
   TrendMicro-HouseCall PAK_Generic.005

So no real identity given to this.

Sample can be downloaded from here:  

http://filepost.com/files/8c2md898/voicemail.rar/

I had to set a password for FT to accept it.  PW = a

Anubis analysis:

http://anubis.iseclab.org/?action=result&task_id=1ed0c698b4180bf841514255a92d022d6

   DNS Queries:        
   up-shift.net  DNS_TYPE_A  192.254.188.250  YES  udp  

   HTTP Conversations:       
   Request: GET /Backup/test/1405UKmw.enc
   Response: 200 "OK"

1405UKmw.enc can be downloaded from here:

http://filepost.com/files/fcf44c24/1405UKmw.rar/

Again, pw = a.

For some reason, unlike previous examples, Filepost is not accepting
these files unless I encrypt them.  Not even the .enc payload.  VT had
not seen the payload before my submission:

https://www.virustotal.com/en/file/7e9e98e4c6513dbfdc2deeb8b6c0d413e0713f5149bcc66213b3d5cc01a90d2f/analysis/1400070116/
  
0/53 detection rate

Avira still missing from VT scanning.

Spam details:

-----------
Received: from cpe-107-185-90-201.socal.res.rr.com ([107.185.90.201])
Date: Wed, 14 May 2014 03:51:37 -0800
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1)
            Gecko/20110929 Thunderbird/7.0.1
Subject: New Voicemail

New Voicemail Message

You have been left a 1:06 long message (number 1) in mailbox from
"Florigene" 07509nnnnnn, on Wednesday, 14 May, 2014 at 06:29:02 AM

The voicemail message has been attached to this email - which you can
play on most computers.

Please do not reply to this message. This is an automated message which
comes from an unattended mailbox.  

This information contained within this e-mail is confidential to, and is
for the exclusive use of the addressee(s). If you are not the addressee,
then any distribution, copying or use of this e-mail is prohibited. If
received in error, please advise the sender and delete/destroy it
immediately. We accept no liability for any loss or damage suffered by
any person arising from use of this e-mail.
-------------

Site Timeline