Someone Submitted a Bunch of Malware Samples to Dr.Web Using My Email Address

On Sept. 19, someone submitted 10 malware samples to Dr.Web through their online submission portal. I know about this because I started receiving automated emails to my Motherboard email address. Apparently, the submitted used my address when uploading the samples.

Dr.Web’s CEO and researchers told me they have no information about who could have submitted them (other than a meaningless IP address), nor why they put my Motherboard email address when they did.

Here’s a list of all the samples submitted, with the Dr.Web tracking number and some of the names of the malware.

• [drweb.com #7844861] — Trojan.DownLoader25.27863
• [drweb.com #7844862] — Threat: Trojan.Siggen7.30162
• [drweb.com #7844865] — Threat: Trojan.DownLoader25.34774
• [drweb.com #7844864]
• [drweb.com #7844868]
• [drweb.com #7844869]
• [drweb.com #7844961] — Threat: Trojan.Swrort.48
• [drweb.com #7844964]
• [drweb.com #7844967] — Threat: Trojan.BtcMine.1552

The samples are also on VirusTotal:

• secret_chat.exe — https://www.virustotal.com/en/file/6f413061a25b01453e0b407cdf9a01c4c895bd3951ef51baf63cac083d375428/analysis/
• YESSSS.exe — https://www.virustotal.com/en/file/faf828c706ec25b9bd0d1c9964f1ffce77586d46e33a3d74d23bfbed3af31ae0/analysis/
• PAY (3).exe — https://www.virustotal.com/en/file/173c0ffc1f285ef1c6a14aaaf0f94208e2172fa9ee9018b69a901030bfb2d3c9/analysis/
• trsd.exe — https://www.virustotal.com/en/file/adefce4fe668eb2eb8f7ad5e840fc67f1536154972fbda7123b5ba799775c8b7/analysis/
• repsol0206.exe — https://www.virustotal.com/en/file/eacc5487fe922db848930f7b48d3f8d9ef2a31d6874a2483cf16302fff89566d/analysis/
• EBBF.exe — https://www.virustotal.com/en/file/a0692392c42fe59371c710108a0cd9117d20f74daae65cbac2559b6599648df9/analysis/
• Pierre.PIF.exe — https://www.virustotal.com/en/file/e82c46db7e14bb9031f5c7cd01416264ed37d14360d5db6b45541f28e4a6d5b9/analysis/
• Voila.exe — https://www.virustotal.com/en/file/fd8e62c843c2278b483ade080aab5267acc8f161ba9ea30cadc78aeca862d26f/analysis/
• BTC Cheats.exe — https://www.virustotal.com/en/file/9ee1ca96bd07735f57a3ba7f0ac4ee146ad3599c7b946bff02a34795f37bab85/analysis/
• OneDrive.exe — https://www.virustotal.com/en/file/f0a75331311c13fa6fa3c3aa74cc8d157d1b38b525a0be2a90bc8a3e6a54a09d/analysis/

Some notes about the samples:

• IP address for all submissions is the same: 77.243.189.245 — Amsterdam, North Holland, Netherlands
• UserAgent is also same: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.86 Safari/537.36 — — UserAgent can be easily spoofed, but if it isn’t, they’re running Windows 10, Chrome 59 (very recent)

According to a Dr.Web researcher who looked into these samples, these were submitted “only once,” and they are “several key loggers, password stealers, and droppers that drop and execute the malware from themselves.”

Nothing too interesting about them, he said, other than “their authors know you and send you a friendly reminder…”

This is most likely a prank. But I’m publishing this in case someone wants to look into the samples and can discover something interesting about them. If you do look into these and have some information to share, here’s how to reach me.

Thanks to our infosec wizard Destiny Montague for the help with this.