Date: Mon, 29 Jul 2013 06:08:44 -0800 [10:08:44 EDT]
From: "Marcia_Manning@key.com" [Marcia_Manning@key.com]
Subject: Key Secured Message
You have received a Secured Message from:
The attached file contains the encrypted message that you have received. To decrypt the
message use the following password - nC4WR706
To read the encrypted message, complete the following steps:
- Double-click the encrypted message file attachment to download the file to your
- Select whether to open the file or save it to your hard drive. Opening the file
displays the attachment in a new browser window.
- The message is password-protected, enter your password to open it. This e-mail and any
attachments are confidential and intended solely for the addressee and may also be
privileged or exempt from
disclosure under applicable law. If you are not the addressee, or have received this
e-mail in error, please notify the sender
immediately, delete it from your system and do not copy, disclose or otherwise act upon
any part of this e-mail or its attachments.
If you have concerns about the validity of this message, please contact the sender
directly. For questions about Key's e-mail encryption service, please contact technical
support at 888.764.5844.
Copyright © 2013 KeyCorp®. All Rights Reserved
The attachment SecureMessage.zip contains an executable SecureMessage.exe which has to be unencrypted with the password supplied in the email (which is kind of stupid for a supposedly secure mail), and this has a VirusTotal detection rate of just 6/46.
The Malwr analysis shows that this is a pony/gate downloader, first downloading from [donotclick]webmail.alsultantravel.com/ponyb/gate.php on 220.127.116.11 (Unified Layer / Bluehost, US) and then downloading one of the following: