Sponsored by..

Friday 11 March 2016

Malware spam: Your Amazon order #137-89653734-2688148 / AMAZON.COM [Mailer-daemon@amazon.com]

This fake Amazon spam comes with a malicious attachment:

From:    AMAZON.COM [Mailer-daemon@amazon.com]
Date:    11 March 2016 at 09:09
Subject:    Your Amazon order #137-89653734-2688148


Thank you for your order. We'll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.com.
Order Details

Order #137-89653734-2688148 Placed on March 11, 2016

Order details and invoice in attached file.

Need to make changes to your order? Visit our Help page for more information and video guides.

We hope to see you again soon.

Reference numbers vary from email to email. Attached is a file with a name similar to ORD137-89653734-2688148.zip which contains a malicious script of which I have seen just a single sample with a detection rate of 5/56. According to this Malwr report, the script downloads a binary from:


That binary has a detection rate of 4/55. According to the Malwr report for the script and this Malwr report for the binary, it phones home to: (Petersburg Internet Network, Russia) (FLP Kochenov Aleksej Vladislavovich, Ukraine)

There are probably other download locations and C2s, I will update this post if I find out what they are.


Some additional C2s from various sources: (PS Internet Company LLC. Kazakhstan) (Petersburg Internet Network, Russia) (FOP Sedinkin Olexandr Valeriyovuch, Ukraine)

Some additional download locations for this and other locky spam runs today:


Recommended blocklist:

No comments: