From: QuickBooks [firstname.lastname@example.org]
Date: 18 November 2015 at 14:34
Subject: INTUIT QuickBooks
As of November 5th, 2015, we will be updating the browsers we support. We encourage you to upgrade to the latest version for the best online experience. Please proceed the following link, download and install the security update for all supported browsers to be on top with INTUIT online security!
InTuIT. | simplify the business of life
© 2015 Intuit Inc. All rights reserved. Intuit and QuickBooks are registered trademarks of Intuit Inc. Terms and conditions, features, support, pricing, and service options subject to change without notice.
The link in the email goes to:
This downloads a file INTUIT-Browser-up1247.zip which in turn contains a malicious executable up1247.exe (MD5 563a1f54b9d90965951db0d469ecea6d) which has a VirusTotal detection rate of 2/54. That VirusTotal report and this Hybrid Analysis report show that the malware POSTs data to:
The Malwr report is inconclusive. The payload is unknown, however all of the following domains share the same nameservers and have also been used for malicious activity going back to August.
The malicious .in domain is hosted on the following IPs:
22.214.171.124 (Veri Merkezi Hizmetleri A.s., Turkey)
126.96.36.199 (DataGroup Dnepr, Ukraine)
188.8.131.52 (myLoc managed IT AG, Germany)
184.108.40.206 (Netinternet Bilgisayar ve Telekomunikasyon San. ve Tic. Ltd. Sti., Turkey)
This entry at MalwareURL links the namesevers to the Nymaim ransomware.