Emails with subject “I’m going to send you the photos in” contains trojan

MX Lab,, started to intercept a new trojan distribution campaign by email with the subject “I’m going to send you the photos in”.

The email is send from the spoofed address “Facebook <>” and has the following body:

Hallo Man,

Ich weiß nicht, wie ich es sagen, aber ich habe vor langer Zeit zu euch senden einige Fotos tryed, aber ich habe gedacht, dass Sie nicht interessiert sind, mich zu sehen.
Aber jetzt werde ich Ihnen die Fotos in der Anlage.
Laden Sie die Bilder und extrahieren sie, ich bin sicher, dass Sie sie mögen. Das Passwort ist: 123456

Machen Sie einen schönen Tag.

The attachedZIP file has the name and contains the 244 kB large file DSC0172635.exe (numbers may change with each email).

The trojan is known as TR/Crypt.CFI.Gen (AntiVir), Worm.Win32.Ainslot!IK (Emsisoft), Artemis!784DBB4768DB (MacAfee), W32/Obfuscated.A!genr (Norman).

This trojan has the characteristics of ZBot – a banking trojan that disables firewall, steals financial data, makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the infected system.

The following files will be created:


The following hidden files will be created:


The following hidden directory is created:


Several Windows registry changes will be exectued and the trojan can establish connection with the following IPs on port 80:

Data can be obtained from following URLs:

    • hxxp://
    • hxxp://
    • hxxp://

When visiting the URL, something we do not recommend to do, we got a standard HTML error page with the message that the “This Account Has Been Suspended”. The IP is registered to Leaseweb Germany GmbH.

At the time of writing, only 10 of the 42 AV engines did detect the trojan at Virus Total.

Virus Total permlink and MD5: 784dbb4768dbe5ee5b0f3e8d0b0a4165.