This morning a spam campaign has hit a lot of random e-mail adresses proporting to be from Staples. The spam mail carries an attachment:
Order_8029079.zip -> File: Order.exe
MD5: 84a6030c8265b33c3c4e68d29975bd76
Screendump of spammail below:
If the attached zip file is executed it will drop its payload to root as C:Order.exe, then delete the file and move it to windows temporary folder as “codecupdater.exe” which then in turn also drops “dotoo.exe”. Next up the malware checks the HOSTS file and conduct a series of anti- debugging and sandbox checks.
As always the code injects itself into several legit processes.
The malware calls back and downloads additional malware from: poragdas.com (182.18.143.140). This domain should be blocked at gateway level and is already blocked in CSIS Secure DNS.
This downloader (UPatre) receives 4 / 50 on Virustotal.com:
https://www.virustotal.com/en/file/7ff43c5448b8edf9f0f373e56709a24719f0a972b381accf76a0f1fa0c324542/analysis/