A slightly new take on the malicious FedEx spam we've seen recently. This time, the link in the email goes to a hacked domain to download an attachment called
PostalReceipt.zip
Date: Tue, 27 Nov 2012 13:04:37 -0400
From: "Office Mail" [no_replyFRL@cleveland.com]
Subject: ID (I)JI74 384 428 2295 7492
FedEx
Order: AX-7608-99659670234
Order Date: Sunday, 25 November 2012, 10:35 AM
Dear Customer,
Your parcel has arrived at the post office at November 27.Our postrider was unable to deliver the parcel to you.
To receive a parcel, please, go to the nearest our office and show this postal receipt.
GET POSTAL RECEIPT
Best Regards, The FedEx Team.
� FedEx 1995-2012
In this case the download site was
[donotclick]amsterdam.cathedralsoft.com/TFOIATVZVT.html hosted on 46.105.140.157 (OVH, Spain). www.cathedralsoft.com is hosted on 94.23.187.176 (also OVH, Spain). It looks like cathedralsoft.com have been compromised in this attack.
VirusTotal detection rates are
very low. I don't currently have an analysis of the malicious payload.
Update: here is another variant, downloading from
[donotclick]brandandreputation.net/NOHDPQWPJJ.html (195.249.40.193, TeamInternet Denmark)
Date: Wed, 28 Nov 2012 A.D. 07:34:52 -0400
From: "First-Class UPS logistics" [no.reply-FG@houston.com]
Subject: Tracking Number (A)PSO79 089 360 1947 4933
FedEx
Order: MN-8474-09876452234
Order Date: Sunday, 24 November 2012, 11:36 AM
Dear Customer,
Your parcel has arrived at the post office at November 26.Our postrider was unable to deliver the parcel to you.
To receive a parcel, please, go to the nearest our office and show this postal receipt.
GET POSTAL RECEIPT
Best Regards, The FedEx Team.
� FedEx 1995-2012
Detection rates are
pretty miserable for this one too. It looks like a Bredolab variant.
Update 2: another variant of the malware, this time downloading via
[donotclick]www.cantoncityutah.com/OXSJOVVYOE.html (this tries to open PostalReceipt.zip in a window). Again, VirusTotal detection is
not good.
Date: Thu, 29 Nov 2012 A.D. 14:29:38 +0200
From: "Office Mail" [NoReply@baltimore.com]
Subject: Tracking Number (K)IR46 545 922 5276 0059
FedEx
Order: HD-5468-483254683
Order Date: Monday, 25 November 2012, 03:41 PM
Dear Customer,
Your parcel has arrived at the post office at November 27.Our postrider was unable to deliver the parcel to you.
To receive a parcel, please, go to the nearest our office and show this postal receipt.
GET POSTAL RECEIPT
Best Regards, The FedEx Team.
� FedEx 1995-2012
Update 3: yet another variant.. the payload wasn't working on this one though.
Date: Fri, 30 Nov 2012 A.D. 07:57:38 -0400
From: "First-Class logistics" [NoReply.368@tucson.com]
Subject: Number (N)GDE82 422 446 0527 6243
FedEx
Order: HD-5468-483254683
Order Date: Tuesday, 26 November 2012, 10:17 AM
Dear Customer,
Your parcel has arrived at the post office at November 28.Our postrider was unable to deliver the parcel to you.
To receive a parcel, please, go to the nearest our office and show this postal receipt.
GET POSTAL RECEIPT
Best Regards, The FedEx Team.
� FedEx 1995-2012
Update 4: this variant attempts to download
[donotclick]catercut.ie/Postal-Receipt.zip (VirusTotal results
here)
via
[donotclick]catercut.ie/KANHEPGVVM.html:
Date: Fri, 30 Nov 2012 A.D. 14:33:35 -0400
From: "UPS Mail" [NOreplyEAY@baltimore.com]
Subject: ID (P)NRB90 564 295 9947 6165
FedEx
Order: HD-5468-483254683
Order Date: Tuesday, 26 November 2012, 10:17 AM
Dear Customer,
Your parcel has arrived at the post office at November 28.Our postrider was unable to deliver the parcel to you.
To receive a parcel, please, go to the nearest our office and show this postal receipt.
GET POSTAL RECEIPT
Best Regards, The FedEx Team.
� FedEx 1995-2012
Update 5: another spam run, same payload as last time (updated VirusTotal results
here). Link leads to
[donotreply]drillsaw.com.au/VYWFBRIUBU.html which leads to a payload at
[donotreply]drillsaw.com.au/Postal-Receipt.zip
Date: Fri, 30 Nov 2012 A.D. 22:47:44 -0700
From: "logistics UPS" [no.reply-UAC@losangeles.com]
Subject: Tracking Detail (L)OK73 487 973 8524 5206
FedEx
Order: HD-5468-483254683
Order Date: Tuesday, 26 November 2012, 10:17 AM
Dear Customer,
Your parcel has arrived at the post office at November 28.Our postrider was unable to deliver the parcel to you.
To receive a parcel, please, go to the nearest our office and show this postal receipt.
GET POSTAL RECEIPT
Best Regards, The FedEx Team.
� FedEx 1995-2012
Update 6: yet another variant, this time downloading from
[donotclick]exodionline.com/job.php?php=receipt (VirusTotal results
here).
Date: Sun, 02 Dec 2012 A.D. 15:13:18 -0400
From: "UPS Receipt" [NOreply.815@irvine.com]
Subject: Tracking ID (T)SB58 793 555 5502 9056
FedEx
Order: RM-8723-2307345234
Order Date: Monday, 19 November 2012, 09:32 AM
Dear Customer,
Your parcel has arrived at the post office at November 29.Our postrider was unable to deliver the parcel to you.
To receive a parcel, please, go to the nearest our office and show this postal receipt.
GET POSTAL RECEIPT
Best Regards, The FedEx Team.
� FedEx 1995-2012
Update 7: this variant downloads from
[donotclick]www.850spider.de/TYKXVHIFQH.html (report
here):
Date: Sat, 01 Dec 2012 A.D. 19:50:18 -0500
From: "First-Class logistics" [NoReply-QEP@baltimore.com]
Subject: Tracking Detail (K)HW33 625 799 6339 9731
FedEx
Order: RM-8723-2307345234
Order Date: Monday, 19 November 2012, 09:32 AM
Dear Customer,
Your parcel has arrived at the post office at November 29.Our postrider was unable to deliver the parcel to you.
To receive a parcel, please, go to the nearest our office and show this postal receipt.
GET POSTAL RECEIPT
Best Regards, The FedEx Team.
� FedEx 1995-2012
Update 8: this one attempts (and fails) to download the payload from
[donotclick]aucs.de/job.php?php=receipt - I haven't seen the payload for this yet.
Date: Tue, 04 Dec 2012 05:13:30 -0600
From: "U.P.S.Service" [no_replyQQW@tampa.com]
Subject: Tracking Number (X)SO21 772 224 4605 7903
FedEx
Order: SD-5468-482485468
Order Date: Monday, 2 December 2012, 11:23 AM
Dear Customer,
Your parcel has arrived at the post office at December 4.Our postrider was unable to deliver the parcel to you.
To receive a parcel, please, go to the nearest our office and show this postal receipt.
GET POSTAL RECEIPT
Best Regards, The FedEx Team.
� FedEx 1995-2012
Update 9: another slightly different version, this one 404s:
Date: Wed, 05 Dec 2012 A.D. 06:52:19 -0400
From: "U.P.S.Service" [NOreplyPCP@birmingham.com]
Subject: ID (I)PFP44 818 840 9369 1257
FedEx
Order: SD-5468-482485468
Order Date: Monday, 2 December 2012, 11:23 AM
Dear Customer,
Your parcel has arrived at the post office at December 4.Our postrider was unable to deliver the parcel to you.
To receive a parcel, please, go to the nearest our office and show this postal receipt.
GET POSTAL RECEIPT
Best Regards, The FedEx Team.
� FedEx 1995-2012
Update 10: another version, this downloads from
[donotclick]gaffashion.de/KUHZNRQXSG.php?php=receipt ,
VirusTotal results are patchy.
Date: Wed, 05 Dec 2012 13:21:13 -0400
From: "logistics UPS" [no.replyDD@cincinnati.com]
Subject: Tracking Number (O)UBF96 497 677 7945 1347
FedEx
Order: SD-5468-482485468
Order Date: Monday, 2 December 2012, 11:23 AM
Dear Customer,
Your parcel has arrived at the post office at December 4.Our postrider was unable to deliver the parcel to you.
To receive a parcel, please, go to the nearest our office and show this postal receipt.
GET POSTAL RECEIPT
Best Regards, The FedEx Team.
� FedEx 1995-2012
Update 11: even more of these today, the volumes seem to be ramping up. Detection rates are
pretty miserable.
Subjects spotted:
Tracking Detail (S)AR71 347 275 0953 6096
Number (H)OY68 102 257 0143 6263
Tracking Number (A)WF09 061 710 9662 3209
Tracking Detail (Y)XEY08 661 121 7788 5937
ID (T)TU26 454 839 5856 0273
Number (651)36-651-651-7313-7313
Number (N)QGW24 822 128 6967 5066
Tracking Detail (J)RD66 396 145 5017 2968
Tracking ID (G)EQI40 177 581 4008 9333
Dowload sites:
[donotclick]www.andovar.de/LNYYNMZAMK.php?php=receipt
[donotclick]biggis-musiktruhe.de/PQRZPJPCBG.php?php=receipt
[donotclick]threesolution.org/OGIKYWHWNJ.php?php=receipt
[donotclick]s375670599.online.de/RTJQIUZQOJ.php?php=receipt
[donotclick]Joeyscafeok.com/PHLNPDFSRV.php?php=receipt
[donotclick]www.edibaer.at/CPDWHUDQDM.php?php=receipt
[donotclick]architetturapc.altervista.org/VOWORTEUWM.php?php=receipt
[donotclick]myinci.net/XIGTTUBPNV.php?php=receipt
Update 12: another version with a tweaked malicious binary:
Date: Fri, 07 Dec 2012 08:33:17 -0400
From: "UPS Receipt" [NOreply.IDH@riverside.com]
Subject: ID (D)RH64 621 035 9749 7042
FedEx
Order: SD-5468-482485468
Order Date: Monday, 2 December 2012, 11:23 AM
Dear Customer,
Your parcel has arrived at the post office at December 4.Our postrider was unable to deliver the parcel to you.
To receive a parcel, please, go to the nearest our office and show this postal receipt.
GET POSTAL RECEIPT
Best Regards, The FedEx Team.
� FedEx 1995-2012
In this case, the link goes to
[donotclick]www.dol2day.com/QGYAMKOOBH.php?php=receipt which downloads
Postal-Receipt.zip containing
Postal-Receipt.exe. The VirusTotal results are
not good. Another version uses the subject
Number (A)CV88 683 994 7812 3447
Update 13: another couple of variants, the payload has morphed again and VirusTotal results are
predictably very poor.
Date: Sun, 09 Dec 2012 A.D. 12:20:15 -0400
From: "Priority Mail Postal Service" [GJX_308@neworleans.com]
Subject: Tracking Detail (Y)VH30 307 516 2676 5647
FedEx
Order: SGH-3818-3779326179
Order Date: Monday, 2 December 2012, 12:32 AM
Dear Customer,
Your parcel has arrived at the post office at December 7.Our postrider was unable to deliver the parcel to you.
To receive a parcel, please, go to the nearest our office and show this postal receipt.
GET POSTAL RECEIPT
Best Regards, The FedEx Team.
� FedEx 1995-2012
====================
Date: Sat, 08 Dec 2012 14:11:29 -0700
From: "UPS Receipt" [NOreply.094@shreveport.com]
Subject: Number (X)UJ39 079 034 0694 8327
FedEx
Order: SGH-0987-4616781861
Order Date: Monday, 2 December 2012, 12:32 AM
Dear Customer,
Your parcel has arrived at the post office at December 7.Our postrider was unable to deliver the parcel to you.
To receive a parcel, please, go to the nearest our office and show this postal receipt.
GET POSTAL RECEIPT
Best Regards, The FedEx Team.
� FedEx 1995-2012
Some other subject lines:
Number (A)CFV63 149 496 9260 0620
Tracking Detail (S)ESQ89 729 953 7596 6283
Some download sites (don't visit these unless you know what you are doing)
www.musikschule-nvp.de/SNDDAAWTBR.php?php=receipt
www.mcfcdonegal.com/OPMUYUCCIV.php?php=receipt
www.beller-das.de/NWAPXATXVT.php?php=receipt
www.trude-hau-rein.de/UWQNZZWFXZ.php?php=receipt
Update 14: just in time for Christmas..
Date: Tue, 25 Dec 2012 00:07:07 +0200
From: "Office 852" [mu-852@orlando.com]
Subject: Tracking Detail (193)92-193-193-9477-9477
FedEx
Order: VGH-4658-1148074435
Order Date: Friday, 14 December 2012, 01:21 PM
Dear Customer,
Your parcel has arrived at the post office at December 20.Our courier was unable to deliver the parcel to you.
To receive a parcel, please, go to the nearest our office and show this receipt.
DOWNLOAD POSTAL RECEIPT
Best Regards, The FedEx Team.
The binary has changed again,
detection rates are patchy. Anubis
reports that the malware calls home to
74.80.220.148:60000 which would make it a
Zbot variant.
Update 15: this one loads via
[donotclick]www.eurogleuf.nl/DERZRCUKKY.php?php=receipt , VitusTotal detection rates
are just 7/46.
From: Express Mail Service [user-989@louisville.com]
date: 26 December 2012 10:46
subject: Tracking ID (580)53-580-580-3103-3103
FedEx
Order: VGH-2024-9642451224
Order Date: Friday, 14 December 2012, 01:21 PM
Dear Customer,
Your parcel has arrived at the post office at December 20.Our courier was unable to deliver the parcel to you.
To receive a parcel, please, go to the nearest our office and show this receipt.
DOWNLOAD POSTAL RECEIPT
Best Regards, The FedEx Team.
Update 16: just in time for New Year's day, this one loads via
[donotclick]www.subclix.com/QJXBJWUUEJ.php?php=receipt. VT detections are again
patchy.
Date: Sun, 06 Jan 2013 A.D. 05:11:30 -0500
From: "Worldwide Express Mail Service" <support_489@coloradosprings.com>
To: [redacted]
Subject: Tracking Number (I)FG03 107 566 0859 2689
FedEx
Order: HJF-8295-96674032
Order Date: Thursday, 27 December 2012, 10:41 AM
Dear Customer,
Your parcel has arrived at the post office at December 31.Our courier was unable to deliver the parcel to you.
To receive your parcel, please, go to the nearest office and show this receipt.
DOWNLOAD POSTAL RECEIPT
Best Regards, The FedEx Team.
� FedEx 1995-2012
================
Date: Sat, 05 Jan 2013 19:25:48 -0400
From: "Worldwide Express Mail" <support.800@portland.com>
To: [redacted]
Subject: Number (M)EG25 627 586 0611 4432
*+++
FedEx
Order: HJF-9667-27583280
Order Date: Thursday, 27 December 2012, 10:41 AM
Dear Customer,
Your parcel has arrived at the post office at December 31.Our courier was unable to deliver the parcel to you.
To receive your parcel, please, go to the nearest office and show this receipt.
DOWNLOAD POSTAL RECEIPT
Best Regards, The FedEx Team.
� FedEx 1995-2012
================
Date: Sat, 05 Jan 2013 A.D. 13:57:18 -0400
From: "First-Class Mail Postal Service" <support.813@baltimore.com>
To: [redacted]
Subject: Number (V)TGS29 427 081 6880 9243
FedEx
Order: HJF-3918-81582364
Order Date: Thursday, 27 December 2012, 10:41 AM
Dear Customer,
Your parcel has arrived at the post office at December 31.Our courier was unable to deliver the parcel to you.
To receive your parcel, please, go to the nearest office and show this receipt.
DOWNLOAD POSTAL RECEIPT
Best Regards, The FedEx Team.
� FedEx 1995-2012
================
Date: Sat, 05 Jan 2013 09:05:00 -0400
From: "First-Class Mail Service" <DTU.160@baltimore.com>
To: [redacted]
Subject: Tracking Detail (S)JYD60 835 496 0448 5921
FedEx
Order: HJF-8882-94725648
Order Date: Thursday, 27 December 2012, 10:41 AM
Dear Customer,
Your parcel has arrived at the post office at December 31.Our courier was unable to deliver the parcel to you.
To receive your parcel, please, go to the nearest office and show this receipt.
DOWNLOAD POSTAL RECEIPT
Best Regards, The FedEx Team.
� FedEx 1995-2012
Example download sites:
[donotclick]omahadisability.com/UWOJIEUBLS.php?php=receipt
[donotclick]p-g-maintenance.co.uk/YLFDRZWNJP.php?php=receipt
[donotclick]cctvsecuritysystemshouston.com/XUAJAIPISI.php?php=receipt
[donotclick]itiyam.com/WEQOHWFEAK.php?php=receipt
Note the these URLs seem to be hardened against analysis, if you can't access them check your user agent and referrer strings.
Update 17: and more, this time with the following details:
Tracking Number (B)TXP55 992 494 4822 1645
Number (N)DD46 790 881 6344 2460
Order: HJF-4121-39707012
Order: HJF-2424-11089225
[donotclick]jcpub.com/SXYUXBKFQF.php?php=receipt
[donotclick]travelclinicsswansea.com/INJIETKYXV.php?php=receipt
Update 18: another spam run, detection rates are
a bit better for this one:
Date: Wed, 09 Jan 2013 06:35:16 +0200
From: "Shipping Service" [IAL_792@chesapeake.com]
Subject: Tracking Detail (V)QT48 601 848 0556 8882
FedEx
Order: JN-3254-98757378
Order Date: Thursday, 3 January 2013, 11:23 AM
Dear Customer,
Your parcel has arrived at the post office at January 6.Our courier was unable to deliver the parcel to you.
To receive your parcel, please, go to the nearest office and show this receipt.
GET & PRINT RECEIPT
Best Regards, The FedEx Team.
� FedEx 1995-2012
Variants:
Tracking ID (R)EBE08 923 976 4800 2506
Tracking ID (Y)OKX60 559 414 2225 0045
Order: JN-8274-10502299
Order: JN-9593-93771591
Sample download sites:
[donotclick]fibam.be/CMNVTXINXV.php?php=receipt
[donotclick]sofa-session.ch/PRRVWKCUQJ.php?php=receipt
Update 19: another spam run with the following characteristics:
Subject: Tracking Number (E)KA09 359 952 5829 0864
Order: JN-9160-75660784
Download site: [donotclick]endlich-ein-dsl-anschluss.de/HUPAHPNHTC.php?receipt=ss00_323
VirusTotal report
Update 20: another one, this time downloading from
[donotclick]businesscoaching24.com/BWMIZNPQAT.php?receipt=802_195210783
Date: Sun, 27 Jan 2013 13:09:22 +0100
From: "Priority Mail Postal Service" [clients-669@columbus.com]
Subject: Number (L)BVT74 159 159 2182 2182
Fed Ex
Order: HCD-7626-14749451
Order Date: Thursday, 17 January 2013, 11:10 AM
Dear Customer,
Your parcel has arrived at the post office at January 21.Our courier was unable to deliver the parcel to you.
To receive your parcel, please, go to the nearest office and show this receipt.
GET & PRINT RECEIPT
Best Regards, The FedEx Team.
FedEx 1995-2012
Detection rates are patchy
according to VirusTotal. The ThreatExpert report is
here.
Update 21: another sample, this time from
[donotclick]mydrugstoreus.net/get_file.php?print_receipt=ss00_323, VirusTotal results are
16/46.
Date: Tue, 05 Feb 2013 19:20:36 -0400
From: "Manager David Riddle" [manager@tampa.us]
Subject: Order Detail
FedEx
Tracking ID: 4013-85911016
Date: Monday, 28 January 2013, 09:22 AM
Dear Client,
Your parcel has arrived at February 1.Courier was unable to deliver the parcel to you at 1 February 05:54 PM.
To receive your parcel, please, print this receipt and go to the nearest office.
Print Receipt
Best Regards, The FedEx Team.
FedEx 1995-2013
Update 22: this one downloads from
[donotclick]zdsw.net/get_file.php?receipt_print=ss00_323 with VirusTotal detections at
12/46.
Date: Wed, 06 Feb 2013 18:29:28 -0400
From: "Manager William Burt" [service@greensboro.us]
Subject: Shipping Info
FedEx
Tracking ID: 5739-64600336
Date: Monday, 28 January 2013, 09:22 AM
Dear Client,
Your parcel has arrived at February 1.Courier was unable to deliver the parcel to you at 1 February 05:54 PM.
To receive your parcel, please, print this receipt and go to the nearest office.
Print Receipt
Best Regards, The FedEx Team.
FedEx 1995-2013
According to ThreatExpert, this version attempts to connect to the following IP addresses which may be worth blocking:
46.4.178.174
66.84.10.68
66.232.145.174
77.79.81.166
80.90.198.43
81.93.248.152
84.38.159.166
85.186.22.146
85.214.50.161
89.19.20.202
94.101.86.146
173.255.203.178
190.111.176.13
202.153.132.24
202.169.224.202
217.11.63.194
Update 23: this variant downloads from
[donotclick]www.ocadaval.com/tmp/vsgnpg.php?receipt_print=ss00_323 with VirusTotal detections of
16/46:
From: Manager Jayden Dickson [support@santaana.us]
Date: 8 February 2013 03:33:48 CET
Subject: Tracking Info
FedEx
7475-42208096 Monday, 4 January 2013, 08:24 AM
Your parcel has arrived at February 6.Courier was unable to deliver the parcel to you at 6 February 05:51 PM.
To receive your parcel, please, print this receipt and go to the nearest office.
Print Receipt
Best Regards, The FedEx Team.
FedEx 1995-2013
Update 24: downloading from
[donotclick]www.olmuccio.com/tmp/0iuziv.php?receipt_print=ss00_323 and with VirusTotal detections of just
10/46.
Date: Mon, 11 Feb 2013 A.D. 13:35:56 -0500
From: "Manager Daniel Acevedo" [manager@lexington.us]
Subject: Order Information
FedEx
Tracking ID: 2803-20131928
Date: Monday, 4 January 2013, 09:42 AM
Dear Client,
Your parcel has arrived at February 8.Courier was unable to deliver the parcel to you at 8 February 06:33 PM.
To receive your parcel, please, print this receipt and go to the nearest office.
Print Receipt
Best Regards, The FedEx Team.
FedEx 1995-2013
Update 25: downloading from
[donotclick]www.onzeklus.com/tmp/gnnvyg.php?receipt_print=ss00_323 with VirusTotal detections at just
7/44.
Date: Wed, 13 Feb 2013 A.D. 16:28:00 -0400
From: "Manager William Burt" [client@wichita.us]
Subject: Shipping Service
FedEx
Tracking ID: 2890-49318193
Date: Monday, 4 January 2013, 09:42 AM
Dear Client,
Your parcel has arrived at February 8.Courier was unable to deliver the parcel to you at 8 February 06:33 PM.
To receive your parcel, please, print this receipt and go to the nearest office.
Print Receipt
Best Regards, The FedEx Team.
FedEx 1995-2013
Update 26: downloading from
[donotclick]www.assembleserver.net/clients/comp/mirror.php?receipt_print=ss00_323 with VirusTotal detections of just
5/46.
Date: Fri, 15 Feb 2013 10:44:44 -0400
From: "Manager Jayden Soto" [manager@norfolk.us]
Subject: Shipping Info
FedEx
Tracking ID: 4374-23102840
Date: Monday, 11 February 2013, 10:22 AM
Dear Client,
Your parcel has arrived at February 14.Courier was unable to deliver the parcel to you at 14 February 06:33 PM.
To receive your parcel, please, print this receipt and go to the nearest office.
Print Receipt
Best Regards, The FedEx Team.
FedEx 1995-2013
According to Anubis, the malware attempts to call home to the following IPs:
66.84.10.68
72.29.84.159
87.118.122.19
94.101.86.146
173.255.203.178
Update 27: downloading from[donotclick]/phillipsflorist.co.uk/wp-content/plugins/akismet/mirror.php?receipt=ss00_323 with a detection rate of 4/45.
Date: Wed, 20 Feb 2013 10:00:38 -0400
From: "Manager Mason Marsh" [service@anaheim.us]
Subject: Order Shipped
FedEx
Tracking ID: 9702-66479247
Date: Monday, 11 February 2013, 10:22 AM
Dear Client,
Your parcel has arrived at February 18.Courier was unable to deliver the parcel to you at 18 February 06:33 PM.
To receive your parcel, please, print this receipt and go to the nearest office.
Print Receipt
Best Regards, The FedEx Team.
FedEx 1995-2013
According to Anubis, this malware tries to call home to:
50.115.116.201
81.93.248.152
87.118.122.19
94.23.193.229
190.111.176.13
213.229.106.32
Update 28: another version, with a download site of [donotclick]www.2handhome.com/components/.ebgv3m.php?receipt=838_129704313 and a VirusTotal score of just 6/45.
Date: Wed, 13 Mar 2013 05:54:18 -0700
From: "Manager Liam Ortega" [support@lincoln.us]
Subject: Tracking Information
FedEx
Tracking ID: 6673-95490112
Date: Monday, 4 March 2013, 10:22 AM
Dear Client,
Your parcel has arrived at March 7.Courier was unable to deliver the parcel to you at 7 March 06:33 PM.
To receive your parcel, please, print this receipt and go to the nearest office.
Print Receipt
Best Regards, The FedEx Team.
FedEx 1995-2013
According to Anubis, the malware calls home to:
87.106.51.52:8080
91.121.156.162:8080
80.67.6.226:8080
93.125.30.232:8080
174.120.225.57:8080
91.121.28.146:8080
193.23.226.15:8080
