Emails “[5492] liebe dich” contains malicious executable in attached ZIP archive

MX Lab,, started to intercept a new trojan distribution campaign by email with the subject “[5492] liebe dich”.

This email is send from the spoofed addresses and has the following body:

Du bist wie mein Glück, denn das kann ich oft gebrauchen. Du bist meine Medizin, denn nur du kannst mich heilen.

V. Zorn

Ob man `nen Engel oder Teufel küsst, ist unwichtig solange es LIEBE ist!!!

S. Prill

Ich liebe dich so fest wie der Baum seine Äst, wie der Himmel seine Sterne, so arg hab ich dich gerne…

A. Tröger

The attached ZIP file has the name and contains the 89 kB large file liebe3230.exe.

Note that the numbers between brackets in the subject line, the name of the ZIP archive and the executable itself will change with each email.

The trojan is known as Trojan.Agent.BDHP, Packed.Win32.Fareit.1!O, Win32/TrojanDownloader.Elenoocka.A, Trojan.Agent.BDHP or TROJ_GEN.F0D1H00F314.

At the time of writing, 7 of the 52 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink and Malwr permalink for more detailed information.
SHA256: 0c1927d17a4a9a5144282b851f0c13b9001ba87a559f4d417c093398a33a5c54.

One thought on “Emails “[5492] liebe dich” contains malicious executable in attached ZIP archive

Comments are closed.