Emails with subject “Report dated/Memo dated/Notification dated/Paper dated 9th June” contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with subjects like:

Report dated 9th Jun
Memo dated 9th March
Notification dated 9th June
Paper dated 8th May

This email is send from spoofed email addresses and has the following body:

Be acknowledged that on Tuesday the 6th of May a facsimile was sent to chief accountant .
The given deed has essential information regarding the money abatement procedure .
Please confirm the due reception of the form .
For Your exploration stated paper had been enclosed.
Laura Smith
Chief accountant

This is to inform that on Monday the 7th of April a document was mailed to the director .
The indicated act introduces considerable data regarding the interest refund order .
Could you confirm the secure reception of the form .
For Your comfort stated document has been enclosed.
Jane Jackson
Senior Consultant

We turn Your attention to the fact that on Wednesday the 7th of May a document was forwarded to You .
The mentioned act contains important data dedicated to the interest abatement order .
Could you verify the secure receipt of the facsimile .
For Your easement stated paper is enclosed.
Helen Morgan
Chief accountant

Please be advised that on Wednesday the 6th of May a telecopy has been forwarded to chief accountant .
The described paper introduces considerable information dedicated to the levy refund proceedings .
We ask you to verify the due reception of the file .
For Your exploration the paper had been enclosed.
Sarah Nelson
Tax Officer

The attached file transcript_of_the_forwarded_order.zip contains the 75 kB large file extract_of_the_bank_writ.exe.

The trojan is known as a variant of Win32/Kryptik.DNRN, W32/Waski.A!tr, Trojan-Downloader.Win32.Upatre.ciaj  or Win32.Trojan.Fakedoc.Auto.

At the time of writing, 4 of the 55 AV engines did detect the trojan at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 0c9b3eeb457f42e772419fbd5bd08adec0266105e469ad017d4848d5cbf94f1b

Another attached file extract_of_the_transmitted_order.zip contains the 75 kB large file pattern_of_the_forwarded_prescript.exe.

The trojan is known as a variant of Win32/Kryptik.DNRN, W32/Waski.A!tr, UDS:DangerousObject.Multi.Generic or Win32.Trojan.Fakedoc.Auto.

At the time of writing, 4 of the 56 AV engines did detect the trojan at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 53901e5962a5e08560610a8ed1cdf21eb6f417914c501d617c02d909e33069d6

One thought on “Emails with subject “Report dated/Memo dated/Notification dated/Paper dated 9th June” contains trojan

Comments are closed.