First Foundation Bank Secure Email Notification

We analyzed following malicious attachment that is used in First foundation Bank theme spam on February 14 2013:

Spam Subject:
First Foundation Bank Secure Email Notification – 29834077

Mail From:
“FF-inc Secure Notification” <>
Spam Template:

You have received a secure message

Read your secure message by opening the attachment, secure_mail_29834077. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser. To access from a mobile device, forward this message to to receive a mobile login URL.

If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.230.9081.

2000-2013 First Foundation Inc. All rights reserved.

MD5: e6454c2cb43c669906fcdbe199a195f3
Size: 118,086 bytes

Pony downloader posts to its dropzone at hxxp:// It was also configured to download 3 Gameover Zeus payloads from following locations:

1. hxxp://
2. hxxp://
3. hxxp://
Gameover installes in %APPDATA%\Qaajda\okubha.exe and had following file properties:

File: okubha.exe
MD5: e1b3e6a075ac40ff5ecc8c37d3bbced4
Size: 309,760 bytes
Time-Stamp: 2013-02-5 20:09:27
This Gameover Zeus variant posts to a dropzone at Webinjects were downloaded from The Gameover variant had a botid of “citif14”.

Following P2P Drones were found embedded inside the Gameover Zeus payload:


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: