[Michael]

Our Honeypots caught the following site: dataprovedor.com.

Is this site really under construction? It looks like some kind of web portal.



Regardless, let's get to the subject that got us here in the first place: The malware.

In a sub directory called images you can see two files, one is an exe, the other a php which redirects to the exe.

I found it rather smart that the file name for the exe is in the form of DSCXXXXX. For those who own a Sony camera (or possibly other Sony products) this is the default name to which images are saved to.

So, one bonus point for the social engineering trick.



The time stamp also indicates that those files have been uploaded recently, to what I think is a hacked server.

The online file checker Jotti reveals that the file may be part of the Banload Trojans family, but is poorly detected at the time of writing:



Jerome Segura

Malware ID: 2b65626b2442521307d68a53c0b5e6aa.zip