From: Harlan Gardner
Date: 10 December 2015 at 08:48
Subject: Reference Number #20419955, Last Payment Notice
Dear Client,
This e-mail is pursuant to your contract with Foreman&Clark Ltd. for our services date November 15, 2015 for the amount of $8,151.
Your failure to pay as per the December 1, 2015 invoice equals to the breach of our contract.
Please, acknowledge the receipt of this e-mail within three business days. Please, make your payment to the corresponding account, stated in the invoice attached no later than January 2, 2016.
In case you fail to respond to this e-mail we well be compelled to pursue all the necessary legal actions.
Thank you beforehand for your attention to this case.
Looking forward to hearing back from you.
Sincerely,
Harlan Gardner
Sales Manager
Foreman&Clark Ltd.
256 Raccoon RunSeattle,
WA 98101
In the sample I saw, the attachment was named copy_invoice_20419955.zip which contained this malicious obfuscated script which has a VirusTotal detection rate of 2/55. When deobfuscated it becomes a bit clearer as to what it does, with an attempted download from:
46.151.52.196/86.exe?1
softextrain64.com/86.exe?1
This pattern is the same as the spam run yesterday. The downloaded binary has an MD5 of 42b27f4afd1cca0f5dd2130d3829a6bc, a detection rate of 5/55 and the Malwr report indicates that it pulls data from the following domains:
graysonacademy.com
grassitup.com
grupograndes.com
crown.essaudio.pl
garrityasphalt.com
gjesdalbrass.no
The characteristics of this malware indicate the Teslacrypt ransomware.
Recommended blocklist:
46.151.52.196
softextrain64.com
gjesdalbrass.no
graysonacademy.com
grassitup.com
grupograndes.com
crown.essaudio.pl
garrityasphalt.com
21 comments:
Just got this email last night. thanks for this page :)
I just received it also. I tried to open the attached "invoice" but luckily was blocked, recognizing it as malicious. Thank you very much for this helpful information!
I only owe $6,129!
LOL
I also received a bunch of these over the past few days. Thanks for confirming my suspicions that this is b.s.
Thanks for the heads up!
Yes received this today. Thanks for confirming it to be malicious. I was able to alert our whole business network.
If you don't have a contract with Foreman & Clark, why would you open the attachment? Classic malware propaganda.
If you don't have a contract with Foreman & Clark, why would you open the attachment? Classic malware propaganda.
Wow I am doing good. I only owe $2196. LOL Thanks for the heads up
Never open an attachment you are unfamiliar with. Especially zip files. If you owe them money, they will call you!!!
Thanks for the information. You saved my marriage!
a friend opened it and it put some documents on his desktop. how does he correct this.
Apparently I owe $7,228. I never open any attached files like this.
Suckers! I paid them promptly so I didn't get an email.
Well, I allegedly owe $5,295!
I cottoned on to this as soon as I read it, and sent the lady who signed it a very fulsome letter remembering the marvellous time she had given me at her flat six months ago, and offering her a place in the brothel my wife and I are currently running in Sydney Australia - though I thought the fee she was attempting to claim was a lit
tle on the large side!
WOW thank you SO MUCH for this information. I also received the e-mail and I owe 7,165 dollars. Wondering if anyone knows what this could do to my computer? Yes I did try to open it but it says there is no program available to open the file?
thanks again for the information- lesson learned I thought this stuff was a thing of the past.
Thanks so much, just received this email. Thank you for posting this information
Reformat the hard drive. Best left to your local tech shop.
Take it to a tech shop most likely contains a key stroke loger
Hallo, ben woonachtig in Belgie en heb een paar dagen geleden ook deze mail ontvangen, dus als ik het goed begrijp mag ik hier niet op ingaan? Groetjes
Post a Comment