There are some malspam messages that are being sent out to users with an infected attachment. This malware may not be disinfected by your anti-malware product because it is compressed in a protected archive although the contents of the email will provide the user with the password. The malspam contains the following message:
This email is for informational purposes only. Do not reply to the email address above.
A payment to Carrington Mortgage Services LLC in the amount of $8773.85 has been made from your Checking account
For further information about this transaction, please download attached invoice file (Password for ZIP archive: “invoice” )
If you did not authorize this payment to be made, please contact your financial institution or card issuer immediately for further instructions.
FKNC Privacy Statement: The information contained in this electronic mail transmission is intended by Fort Knox National Company for the use of the named individual or entity to which it is originally directed and may contain information that is privileged or otherwise confidential. It is not intended for transmission to, or receipt by anyone other than the named addressee (or a person authorized to deliver it to the named addressee). It should not be copied or forwarded to any unauthorized persons. If you have received this electronic mail transmission in error, please delete it from your system without copying or forwarding it, and notify the sender of the error by reply email or by calling Fort Knox National Company at 866-220-7121. Unauthorized use, dissemination, distribution, or reproduction of this message is strictly prohibited and may be unlawful.
The file enclosed in the archive is IN87129_717a.exe. Below are the results from Virustotal along with the sandbox results.
Virustotal: 15/36
Additional information (JoeBox)
File size: 58368 bytes
MD5…: eead764389f7e2b1939d147b198443a3
SHA1..: 94332eb2ead4bc9464ae1108ea2ab2b3c60d824b
SHA256: 74492a5d2e571ff6eae2f3ed913f372ab9620778c4ad522895d3aa805d1688f7
SHA512: 92ef95984fdd1db26f526c17ce897e2898858ca8410f3c0a39636ebdf0b852c6
35a2122adb4809d23363956008fae04f1071f94d7ad1afcae2834a48615a8262
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0×40107d
timedatestamp…..: 0×4806e3fb (Thu Apr 17 05:45:31 2008)
machinetype…….: 0×14c (I386)
( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0×1010 0×1200 2.80 2b47bcb94b4842dbad7d705a4edde293
.data 0×3000 0×22b9b 0xc800 7.60 ded2450cbafedda4dfe1d972a0e701f2
.reloc 0×26000 0×1000 0×0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0×27000 0×1000 0×600 4.66 0552eaf398afb9100b608d74807bcad7
( 1 imports )
> gdi32.dll: GetClipBox, GetBitmapBits, CreateDIBSection, SetTextColor, GetPixel, CreateDIBitmap, GetBrushOrgEx, CreateBitmap, CreateFontIndirectA, ExcludeClipRect
( 0 exports )
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=eead764389f7e2b1939d147b198443a3
Please read carefully… They are not giving you that money, they’re extracting it from your account.