So I got an email today in zip format with an exe file, I scanned it with an online scanner and the test revealed safe, also was safe by my AV BD.
I think its a snooping code no more and is why getting passed under the radar. I would love to get more info on this code and wondering if anyone here can further analyze it.
Has two originating ips and the email it arrived from is bogus but what the user was thinking can be a clue
Some of the Text I was able to retrieve from the code which was not executed on my machine, but might do so in vmware to check the ip the code is intended to communicate with.
Here is the email source
from securityycve.net (unknown [184.108.40.206]) by mtain-mp03.r1000.mx.aol.com (Internet Inbound) with SMTP id C1B8C370001C9; Mon, 13 Jan 2014 14:14:17 -0500 (EST) Received: from relay.2yahoo.com [220.127.116.11] by relay-x.misswldrs.com with LOCAL; Mon, 13 Jan 2014 12:58:55 -0600 Received: from unknown (HELO smtp.doneohx.com) (Mon, 13 Jan 2014 12:39:03 -0600) by mtu23.bigping.com with SMTP; Mon, 13 Jan 2014 12:39:03 -0600 Received: from m1.gns.snv.thisdomainl.com [18.104.22.168] by snmp.otwaloow.com with QMQP; Mon, 13 Jan 2014 12:24:41 -0600 Received: from public.micromail.com.au ([22.214.171.124]) by mailout.endmonthnow.com with ESMTP; Mon, 13 Jan 2014 12:12:37 -0600 Message-ID: <9E4ED095.D07C4214@securityycve.net> Date: Mon, 13 Jan 2014 12:12:37 -0600 Reply-To: "EGCTechServs" <firstname.lastname@example.org> From: "EGCTechServs" <email@example.com> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:126.96.36.199) Gecko/20080914 Thunderbird/188.8.131.52 X-Accept-Language: en-us MIME-Version: 1.0
Here is the email thats displayed as received from.
Please pay note to the CVE letters this user used in the email, its someone thats familiar with such acronym which stands for Common Vulnerabilities and Exposures (CVE).
Anyway it was an interesting find and sloppy work by the sender. Would like to hear from the experts of the forum. and anyone who wants the exe you are welcome to it as a .txt.
My first post here, cheers.
Edited by bass740, 14 January 2014 - 07:08 AM.