New Javascript malware: Incoming Transaction Declined ID: 92002325


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Incoming Transaction Declined ID: 92002325”.

This email is send from the spoofed addresses and has the following body:

Your Purchase
Sender’s Details: 92002325
Amount: USD309,37
ACH Routing / Transit Number: 221323588
The incoming transaction (ID:92002325) has been declined by your bank.
Please, do no reply to this e-mail. See attachment for a detailed report.

Screenshot of the email:

The attached file money_92002325.zip contains the 8 kB large file details_mTvxQh.js.

The malware is detected as HEUR.JS.Trojan.b, JS:Exploit.JS.Agent.JL (B), JS/Agent.TU!Eldorado, Win32.Outbreak, or Js.Trojan.Raas.Auto by 6 of the 57 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 5cd97154efecb2321f9a86bf8249e349f97c347bcbd9ae7f289a1d9343d917c1

The payload is downloaded from:

hxxp://giveitalltheresqq.com/80.exe?1

The malware is detected as Ransomware-FGN!57117A0BD632 by 3 of the 55 AV engines at Virus Total.

Visit Virus Total or Malwr for more detailed information.
SHA256: 109e67c4aead9b20b5a30ce1ba92da4b1534e63fdc336ff5005f986e8a8d4f0e