FedEx emails with new trojan variant

MX Lab intercepted a new campaign of FedEx emails that have a trojan attached to the message. The email is sent from the spoofed address “Fedex Support, Trisha Kimble” <> – please note that the name of the person can change.

Possible subjects:

Fedex Invoice Copy N25524750
Fedex Item Status N4347526
Fedex Shipment Status N0919106
Fedex Tracking Number N7897143

The body of the email does not contains any text but only an embedded image.

The email has the attachment The 36 kB large file FedexInvoice_EE776129.exe is extracted from the zip archive.

At the time of writing, only 8 of the 42 AV engines at Virus Total did detect the trojan. The trojan is known as W32/Agent.JBI (Authentium), Suspicious:W32/Malware!Gemini (F-Secure), TrojanDropper:Win32/Oficla.T (Microsoft), a variant of Win32/Kryptik.GHC (NOD32).

Virus Total permlink and MD5: 2587d5dc4b18e652532e556ac26f2290

5 thoughts on “FedEx emails with new trojan variant

  1. i just received a similar e mail with the same message. This time the zip file was 21kB:
    Fedex Item Status N7448417
    Fedex Invoice EE076263OP

    • i just received a email as well fed ex stating your fed ex package was not delivered the item # was N1150628 and i could not open the file??? it did not have a invoice #

  2. We have been getting these emails all week now.

    Virus: a variant of Win32/Kryptik.GIP trojan
    Original subject: Fedex Shipment Status N7439458
    Engine: NOD32 on 1-224
    Engine ID: {5EB45DE3-DE3B-465B-AFDF-69E7CEBA0608}

    The E-mail containing the virus or vulnerability has been quarantined to help protect your network.

  3. i got the fedex email today, a ups one yesteday. i spammed both of them, i have been getting these emails for months, dhl, ups and fedex, i keep spamming them, but they keep coming through

Comments are closed.