Email Internet Fax Job contains URL that downloads trojan Upatre.FH


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Internet Fax Job”, the email is send from the spoofed address “MyFax <no-replay@my-fax.com>” and has the following body:

Fax image data
hxxp://bursalianneler.com/documents/fax.html

The downloaded file fax8642174_pdf contains the 21 kB large file fax8642174_pdf.exe.

The trojan is known as Upatre.FH.

The trojan will installs itself by creating the service ioiju.exe and makes sure that it boots when Windows starts, modifies several Windows registries. Connections can be established with:

202.153.35.133
192.185.52.226
78.46.73.197
74.125.28.139
77.72.174.167
77.72.174.166
217.23.8.68
184.25.56.59
217.172.180.178

At the time of writing, 1 of the 55 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink or Malwr permalink for more detailed information.
SHA256: 745a25bcff06daf957730207c8b34704288fc5232fac81a228a5f2b4f577f048