Just a few hours ago after the first incident of TROJ_BAGLE.EY
in the Email Honeypot, I have noticed another sample in MailTrap
that is taking the rounds. So, I quickly checked the sample, which is detected as
Though, there’s nothing new or special with this backdoor it
reaches a total count of 280 samples in less than 3 hours. This
must have been the result of massive spamming that we are facing
today. Just like what I have noticed in the sample count of the
recent TROJ_BAGLE.EY; it is packed with UPolyX but we have
intercepted 870 samples (at the time of writing) all with the same
MD5 hash. The point is, it is packed with a polymorphic packer but
we are getting numerous copy of only one generation of the sample!
Why? It is all because of what I’ve just mentioned, massive
spamming. Oh well.. :(
The sample which arrived as a zip file has a file size of 10,090
bytes and an MD5 hash of 87B40A62BD5D8FD2A5ED24C16B92B5D1. The
filenames might be one of the following.
Here is the sample email.