Malware distribution: fake order confirmation from Euronics contains URL to malware

MX Lab,, would like to warn for a trojan distribution campaign by email regarding a purchase in the online shop of the company Euronics for a certain amount.

Receivers of this email are being informed that the proof of purchase, payment details and point of contact details can be found in a text document.

The email does not originate from the company Euronics and the embedded URLs will download a trojan on your system.

Emails have similar subjects like:

Betaling is voldaan
Bedankt vor uw aanvraag
Uw bestelling wordt afgeleverd aan de verwerking
Uw bestelling wordt geaccepteerd

This email is send from the spoofed address “” or “”, is composed in Dutch and has the following body:

Hallo Geachte klant! Een aankoop met behulp van uw creditcard is gedaan in onze online shop totaal betaling is 2890€. Voor bewijzen om aankoop en verder betaling overbrengen vanuit uw account, contact onze sales afdeling. Ons telefoonnummer evenals andere contactpersonen informatie kan worden gevonden in een tekstdocument dat u gevonden in deze bericht. Vriendelijke groet dank u. Administratie!

Druk hier om te laden txt

The malware is hosted on different hosts. A 100 kB large file order568493.exe , numbers may vary, will be downloaded when you click on the text “Druk hier om te laden txt”.

The trojan is known as Trojan.Malware.Obscu.Gen.002, TrojanDwnldr.Dalexies.F4, a variant of Win32/Kryptik.EGGD, Gen:Variant.Kazy.774253 or QVM20.1.Malware.Gen.

At the time of writing, 5 of the 55 AV engines did detect the trojan at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 514c3610c88e5ac829b925c5d234d91a1defa6029441b91040276bf9a57050d6