Tag Archives: Detma

Action Required – Time Sensitive Material (Detma.org)

We analyzed following malicious attachment that is used in Detma.org theme spam on February 12 2013:

Spam Subject:
Action Required – Time Sensitive Material
From Address:
“Unemployment Assistance@detma.org” <info@detma.org>

Spam Template:

Action Required

File: case#95648678394857345~93245725793248.zip
MD5: dd28a6cc3df2b1608dc15a4b397013b4
Size: 102,170 bytes

Pony downloader posts to its dropzone at hxxp://carmine.warsheet.com/forum/viewtopic.php hosted at IP address It was also configured to download 3 Gameover Zeus payloads from following locations:
1. hxxp://seunig.de/L5Fvb.exe
2. hxxp://limitedltd.be/CtSfQca3.exe
3. hxxp://visiterlareunion.fr/3gyrJ8B8.exe
Gameover installes in %APPDATA%\Ixra\osso.exe and had following file properties:

File: oss.exe
Size: 309,760 bytes
MD5: 93e6daf13f5239af3d7a44ecfee1b3c5
Time-Stamp: 2013-02-05 20:09:27
This Gameover Zeus variant posts to a dropzone at Webinjects were downloaded from The Gameover variant had a botid of “bofaf12” and cid of 5555.

Following P2P Drones were found embedded inside the installed Gameover Zeus payload: