Email with RA_New.zip attached contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “RA 216001” – numbers in the subject will change with every email.

This email is send from the spoofed address “NicolaR@jhs.co.uk” and just has a standard disclaimer in the body of the email:

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.

The attached file RA_New.zip contains the 29 kB large file RA_New.exe.

The trojan is known as Win32.Trojan.Inject.Auto.

This trojan can download and install other files downloaded from the internet. It will create a process tempinst.exe on the system make connections with the following hosts op port 80:

checkip.dyndns.org
xr36rx.com
rmccontracting.com

It will request the files:

  • index.html
  • adv/honf.pdf
  • mandoc/honf.pdf

At the time of writing, 1 of the 56 AV engines did detect the trojan at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 29a6cca9ecf3007adfcc6a8e18d846630afd0b7a6636660bd26800f0a499ee3e