Date: Wed, 24 Apr 2013 12:59:38 -0500 [13:59:38 EDT]
From: American Express [Christian_Frey@aexp.com]
Subject: Confidential - Secure Message from AMEX
The security of your personal information is of the utmost
importance to American Express, so we have sent the attached as a secure electronic file.
Note: The attached file contains encrypted data.
If you have any questions, please call us at 800-964-7890, option 3.
Representatives are available to assist you Monday through Thursday between 8:00 a.m. and
8:00 p.m. ET and Friday between 8:00 a.m. and 6:00 p.m. ET. The
information contained in this message may be privileged, confidential and protected from
disclosure. If the reader of this message is not the intended recipient, or an employee
or agent responsible for delivering this message to the intended recipient, you are
hereby notified that any dissemination, distribution or copying of this communication is
strictly prohibited. Thank you,
2012 American Express Company. All rights reserved.
, , , , , , , , , , , ,
The attachment SecureMail.zip contains a file called SecureMail.exe with a detection rate of 21/46 at VirusTotal. Comodo CAMAS doesn't tell us much except that it seems to phone home to angels-mail.com and has the following checksums:
What about angels-mail.com then? Well, it looks like a legitimate domain hosted on 18.104.22.168 (eUKhost, UK). ThreatExpert gives a bit more information about the traffic, indicating a malicious web site operating on port 8080 on that server. However, the ThreatTrack sandbox comes up with the best analysis a copy of which can be found here [pdf].