From "[1NAV PROD RCS] " [donotreply@royal-canin.fr]Attached to the message is a file Order Confirmation RET-396716 230715.xml (it wasn't attached properly in the samples I saw) with a VirusTotal detection rate of 1/55, which in turn contains a malicious macro that looks like this [pastebin] which downloads an executable from one of the following locations (there are probably more):
Date Mon, 27 Jul 2015 18:49:16 +0700
Subject Order Confirmation RET-396716 Your Ref.: JL0815/1333 230715
Please find attached your Sales Order Confirmation
Note: This e-mail was sent from a notification only e-mail address that
cannot accept incoming e-mail. PLEASE DO NOT REPLY TO THIS MESSAGE.
http://www.madagascar-gambas.com/yffd/yfj.exe
http://technibaie.net/yffd/yfj.exe
http://blog.storesplaisance.com/yffd/yfj.exe
This is saved as %TEMP%\ihhadnic.exe, and has a detection rate of 2/55. Automated analysis tools [1] [2] [3] show that it attempts to phone home to:
93.171.132.5 (PE Kartashev Anton Evgen'evich, Ukraine)
MD5s:
CA6E11BAA28B724E032326898D8A1A3C
E5DA1A23BC4B530CDEA3E17B1E34C4DA
97832482A5E3D541779F591B4DA94017
6FCD67F5C5C96A98687737DC93305B3F
3 comments:
My mother got the same email on July 27 2015 . Your page helped her know that it was a scam/malware. Thanks!
This e-mail was in my inbox this morning without any attachment that I can see, just a lot of code at the bottom.
Hi,
Those of you who received this mail are you a usual customer from Royal Canin ?
Is this mail sent only to RC customers or to anyone ?
Has RC directory been hacked ?
Post a Comment