Date: Thu, 16 May 2013 23:24:38 +0800 [11:24:38 EDT]
From: "Grover_Covington@wellsfargo.com" [Grover_Covington@wellsfargo.com]
Subject: New Secure Message
To Read This Message:
Look for and open SecureMessage.zip (typically at the top or bottom; location varies by email service).
This message was sent to : [redacted]
Email Security Powered by Voltage IBE
Copyright 2013 Wells Fargo. All rights reserved
The attachment SecureMessage.zip contains a file SecureMessage.exe which has a SHA256 of 289bd82b66ed0c66f0e6a947cb61c928275c1053fa5d2b1119828217f61365ba and is only detected by 2/45 scanning engines at VirusTotal.
The second version is a fake Citi spam with an attachment Securedoc.zip which contains Securedoc.exe. This is the same executable with the same SHA256, just a different name.
Date: Thu, 16 May 2013 10:16:27 -0500 [11:16:27 EDT]The ThreatExpert report reveals some information, but the best analysis is this ThreatTrack report. Between them they identify some IPs and domains worth blocking:
From: "firstname.lastname@example.org" [email@example.com]
Subject: You have received a secure message
You have received a secure message
Read your secure message by opening the attachment, securedoc.html You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it with Internet Explorer.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Citi Secure Email Help Desk at (866) 535-2504.
First time users - will need to register after opening the attachment.
About Email Encryption - http://www.citi.com/citi/citizen/privacy/email.htm