It is remarkable how creative pig-people become to acquire power and wealth while exploiting other’s (computers in this case).

This message received me today… let me say this: WhatsApp messages and pictures will NEVER be delivered to you through your e-Mail address, only through your mobile phone where the application is installed.

https://malwr.com/analysis/OTZmNmQ2OGU4ZDM2NDg2NWE4MTJjMjAyMjkzOGZjNzM/

the message had this attachment:

WhatsApp scam attachment

 

File Details

FILE NAME IMG0009821.exe
FILE SIZE 102400 bytes
FILE TYPE PE32 executable (GUI) Intel 80386, for MS Windows
MD5 31d604c62efaeffd5129d7d8e88285ce
SHA1 a5d308240536cb6de0c83906121eda9242a4140d
SHA256 fc8443eb7d088672854d300e214e4dec4c88b4ab6e737afdbb216f29218dba65
SHA512 daefa443fe88172e09136ebf7f345040218af07991d42489d2b830d01b49ca9db6443e7ad5cf6844fded9a1503575fc08288a718ec421c2228c56388cd2607ab
CRC32 AD1BF7E1
SSDEEP 1536:ITKZH0YFAkSYskOJh4a2nmg17mYi8Namiy:IT0H0vbzb4a2nmjYiq
YARA
  • shellcode – Matched shellcode byte patterns

 

Return-Path: <crouchuk711@gmail.com>
X-Spam-Status: No, hits=3.9 required=5.0
	tests=DNSBL_ZEN.SPAMHAUS.ORG: 1.40,HTML_IMAGE_ONLY_16: 2.498,HTML_MESSAGE: 0.001,
	RDNS_NONE: 0,T_TVD_FW_GRAPHIC_ID1: 0.01,TOTAL_SCORE: 3.909,autolearn=no
X-Spam-Level: ***
Received: from [58.227.89.87] ([58.227.89.87])
	by www.dwaves.de (Kerio Connect 7.2.0)
	for admin@dwaves.de;
	Mon, 16 Dec 2013 09:18:50 +0100
Received: from [44.162.188.104] (account birdiedkf34@yahoo.com HELO xmxdyqgr.febaxpadstlvt.va)
	by  (CommuniGate Pro SMTP 5.2.3)
	with ESMTPA id 537625636 for admin@dwaves.de; Mon, 16 Dec 2013 17:16:51 +0900
Date:	Mon, 16 Dec 2013 17:16:51 +0900
From:	"WhatsApp" <{messages@whatsapp.com}>
X-Mailer: The Bat! (v2.00.3) Business
X-Priority: 3 (Normal)
Message-ID: <6661121465.N31J9SZ4371366@yjvfekwjzyeuxs.bikdzka.ru>
To: <admin@dwaves.de>
Subject: Your friend has just sent you a picture
MIME-Version: 1.0
Content-Type: multipart/mixed;
  boundary="----------2EE4EC0C4ECA27DF"

------------2EE4EC0C4ECA27DF
Content-Type: multipart/alternative;
  boundary="----------88EB5BE62CCDCD0"

------------88EB5BE62CCDCD0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

  		    						 			 					    														Hello!																														 Someone you’re acquainted with has just sent you a image in WhatsApp. Open attachments to to check it out.																								© 2013 WhatsApp Inc
------------88EB5BE62CCDCD0
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

 

 

 

Hello!

 

Someone you’re acquainted with has just sent you a image in WhatsApp. Open attachments to to check it out.

 

 

© 2013 WhatsApp Inc

------------88EB5BE62CCDCD0--

------------2EE4EC0C4ECA27DF
Content-Type: application/zip; name="IMG0009821.zip"
Content-Transfer-Encoding: base64
Content-ID: <002701cefa82$9c0af7a0$647ba8c0@DQRCI3S3>

UEsDBBQAAAAIABIEkEPh9xutUskAAACQAQAOAAAASU1HMDAwOTgyMS5leGXsWX90FFWWrk4n
...

liked this article?

  • only together we can create a truly free world
  • plz support dwaves to keep it up & running!
  • (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
  • really really hate advertisement
  • contribute: whenever a solution was found, blog about it for others to find!
  • talk about, recommend & link to this blog and articles
  • thanks to all who contribute!
admin