0
1
An email with the subject of Quotation coming from what appears to be a compromised email account or web server m.syarifullah@geamedical.com with a zip attachment which contains an unknown malware. I am guessing it is some sort of password stealer or keylogger. ( I am being told it is Agent Tesla keylogger)
I can’t fully work out what this malware is or does. Running it in the various online sandboxes is not giving much helpful information. It drops a small file htc.exe which continually crashes in Anyrun. Other sandboxes show the file as a different name, so it obviously randomises the name on each system. It definitely appears to have numerous anti-analysis techniques and protections and looks like it won’t run properly in a sandbox or VM.
They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.
If you look at the email headers, this is coming from geamedical.com and appears to be coming via the webmail service on that domain. It is likely that the credentials used to log in & send these malspam emails have been previously stolen by the criminals.
To read the original article:
https://myonlinesecurity.co.uk/fake-quotation-malspam-delivers-some-sort-of-malware/
