“Payment Advice – Advice Ref:[GB580659] / CHAPS credits” Spam with Virus

Several e-mails came in today with the title

“Payment Advice – Advice Ref:[GB<RANDOM>] / CHAPS credits”

With the content:

Received: from support-hsbc.com (71-6-94-36.static-ip.telepacific.net
[]) by my.server.here with ESMTP ; Wed, 14 Jan 2015 16:29:51
MIME-Version: 1.0
Content-Type: text/plain; charset=”US-ASCII”; format=flowed
Content-Transfer-Encoding: 7bit
Date: Wed, 14 Jan 2015 16:25:05 +0000
From: HSBC Advising Service <no-replay@support-hsbc.com>
To: <my@address.here>
Subject: Payment Advice – Advice Ref:[GB580659] / CHAPS credits
Message-ID: <01875579662532460212982696507713@support-hsbc.com>
User-Agent: Roundcube Webmail/1.1.1
Return-Path: no-replay@support-hsbc.com


Please download document from dropbox, payment advice is issued at the request of our customer. The advice is for your reference only.

Download link:


Yours faithfully,
Global Payments and Cash Management


This is an auto-generated email, please DO NOT REPLY. Any replies to this email will be disregarded.

Security tips

1. Install virus detection software and personal firewall on your computer. This software needs to be updated regularly to ensure you have the latest protection.
2. To prevent viruses or other unwanted problems, do not open attachments from unknown or non-trustworthy sources.
3. If you discover any unusual activity, please contact the remitter of this payment as soon as possible.

This e-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return e-mail.

Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions.

There are several addresses associated with this malware..

Most of the hosts have been taken down but the final one, the .ro site, served a file called message.zip containing “doc208_pdf.exe” – VirusTotal Report / Malwr Report.

SHA256: 84263a974833d66ca0d691f5000674daac1e87b7282a3392ae8a474b553899d9

When run it copies itself to C:\Users\username\AppData\Local\Temp\ and runs itself again.

It contacts

Then also contacted


At which point a new file was downloaded and run:

C:\Users\user\AppData\Local\LdgeuRniELJBROO.exe – VirusTotal Report / Malwr Report
SHA256: d5e99f3c86e3d026554bc50632e26149cb3ad481bfcc53ca006995961187994f

Which then seemed to made these requests: Host rdns “hosted-by.leaseweb.com”:
HTTPS certificate generated 24th December 2014 (normally, see the previous similar malware below, certificates are created within a day of the spam run!).

inetnum: –
descr: Leaseweb Germany GmbH (previously netdirekt e. K.)
remarks: INFRA-AW Host rdns “maxided-1011.gate02-1.fr.theideahosting.net”:
HTTPS certificate generated 8th Jan 2015.

inetnum: –
descr: Iliad Entreprises Customers
country: FR

Unlike the previous similar malware of this family that I’ve seen this version also used the above url scheme to steal cookies.

It also did something else unusual and made the following requests multiple times and continued to do so regularly:


Looks possibly like part of a DDoS attack? Or use of some sort of ToR like proxy service to hide traffic.

A lot of UDP traffic seems to be randomly generated on source and destination ports to the following hosts: – Russian cable broadband connection – Institute of Spectroscopy, Russian Academy of Science – Polish broadband connection – Russian broadband connection – USA broadband connection – Lithuanian hosting company – Russian broadband connection – Russian cable broadband connection – Russian broadband connection – Russian broadband connection – Italian broadband connection – Russian broadband connection – Tiwan broadband connection – Russian broadband connection

Possibly some kind of p2p CnC ? Heavy Russian connections.

This entry was posted in Uncategorized. Bookmark the permalink.

1 Response to “Payment Advice – Advice Ref:[GB580659] / CHAPS credits” Spam with Virus

  1. Pingback: “Payment Advice – Advice Ref:[GB813730] / CHAPS credits” Spam / Virus | thecomputerperson

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s