I grep the trojan infections in the phising databases just now, came to my interest the list of the file "Application+Form.zip" saved in the many infector urls. As I dns-reversed it came up with the Free Cloud Storage - MediaFire's url. The list and proof itself is as per below:
A download PoC are below: Case 1: Case 2 : I bet there are more of these, since I have to stop my scanning script because it looks never ending.. I downloaded it and it was a plain zip file contains this file: According to the server's time stamp it looks like months ago released / uploaded trojan. A quicky of binary analysis below: I bet many others already analyzed this sample so I just checked in into VT: Yep, this is the trojan banker which steals your credentials. It was last detected 4months ago according to the VT database. I am not going to analyze this because of is an obvious known & well handled malware. Complete technical analysis can be found in microsoft site↓ And this trojan was reported suddenly grows according to this news↓ Hope Media Fire see this blog to soon get rid of them from their server.