ACH Transaction Rejected

The samples we analyzed had a link to a malicious page at hxxp:// & hxxp://

ACH transaction rejected

This malicious page contained javascript that redirected victims to a Blackhole Exploit kit at


BlackHole kit first droppes Pony from the following location:

File: about.exe
MD5: 9b196853650fcb8ac182be05b627f07c
Size: 1,31,168 bytes

Pony downloader posts to its dropzone at It was also configured to download 3 identical Gameover Zeus payloads from following locations:

1. hxxp://
2. hxxp://
3. hxxp://
4. hxxp://

Gameover was installed in %APPDATA%\Yblaa\duoju.exe

MD5: a898d910ac17e2dc00333a410daeaa68
Size: 3,47,744 bytes
Timestamp: 2010:10:28 19:52:20+02:00

This Gameover Zeus variant posts to a dropzone at Webinjects were downloaded from The Gameover variant had a botid of “mf222a20″ and cid of “5555″.

Again, as noted in past few days Pony Downloader and Gameover Zeus both shared same properties:

Signature: Digitally signed by ‘wU5sF34khy4k0DMt30RspNOOm’
Certificate Validity: 04/20/2012 to 01/01/2040
Company Name: Microsoft Corporation
File Description: Windows Disk Diagnostic User Resolver
File Version: 6.1.7600.16385 (win7_rtm.090713-1255)
Internal Name: DFDWiz.exe
Legal Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: DFDWiz.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 6.1.7600.16385


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: