Email [Issue 243061763D7F320] Account #735811402519 Temporarily Locked contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “[Issue 243061763D7F320] Account #735811402519 Temporarily Locked”.

Different spoofed addresses are used a from email address and with each email, the content and the attached trojan is different to avoid detection by virus engines.

Some examples:

Dear user,

We detect unauthorized Login Attempts to your ID #735811402519 from other IP Address.
Please re-confirm your identity. See attached docs for full information.

———
Evie Maccarter
King Yvonne M Dr
70 Exhibition Street, Kentville, NS B4N 4K9

CANADA
902-602-7131

The attached file 735811402519.zip contains the 102 kB large file 735811402519.scr.

The trojan is known as UDS:DangerousObject.Multi.Generic, Heur.I or Trojan.Win32.Qudamah.Gen.3.

At the time of writing, 3 of the 57 AV engines did detect the trojan at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 7c71b6d7318f3754af51b1795cd5190b1e35a40db1862eec9e3600da46de13d7

Dear user,

We detect unauthorized Login Attempts to your ID #527656217388 from other IP Address.
Please re-confirm your identity. See attached docs for full information.


Zelma Dewaratanawan
COMPONENTES EOLICOS CUENCA S.A.
Carretera Valencia, S/N 16004 Cuenca Cuenca
Cuenca
SPAIN
+34 969 52 29 23

The attached file 527656217388.zip contains the 86 kB large file 527656217388.scr.

The trojan is known as Heur.I or Trojan.Win32.Qudamah.Gen.3.

At the time of writing, 2 of the 57 AV engines did detect the trojan at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: f43d82aaf691043d1690a0699aa9977033f8a09ebc6065db9cf12bfa7f04b21e