Fake email New Stanford Hospital contains password protected Rar with trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Stanford”.

This fake email is send from the spoofed address “Kcurran <kcurran@stanfordhealthcare.org>” and has the following body:

Please find the attached.

The password for the archive: kasandra

If you can not read the file, set WinRar http://www.rarlab.com/download.htm

Kevin T Curran
Director, Construction
New Stanford Hospital
Stanford Health Care
O: 650-723-2219   C: 650-847-8382
kcurran@stanfordhealthcare.org

http://www.sumcrenewal.org/

The attached password protected file WgxEoWsa.rar contains the 52 kB large file document.exe.

The trojan is known as Win32:Evo-gen [Susp], Packed.Win32.Katusha.3!O, BehavesLike.Win32.Downloader.qh  or Trojan.Win32.Qudamah.Gen.26.

At the time of writing, 4 of the 56 AV engines did detect the trojan at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 8e17d44a23c27f37be5eec94addd979560c0c0aec613750248c2306acacf527e

3 thoughts on “Fake email New Stanford Hospital contains password protected Rar with trojan

Comments are closed.