Wednesday, 4 March 2015

Rothn-Ron RMPD#7989 Ron Miller invoice

Rothn-Ron RMPD#7989 Ron Miller invoice malware....

Headers:
From: "Rothn-Ron" {ron@bellsouth.net}
Subject: RMPD#7989 - invoices
Message body:

invoice as an attachment
Ron Miller
a/k/a : Rotn-Ron
R.M. PRODUCE DISTRIBUTORS, INC.
Phone : 561-439-5569
Fax : 561-439-8991

Attached is a Zip file:
RMPD#7989 INVOICES.zip

Inside the Zip attachment is a Windows Executable:
RMPD#7989 INVOICES.exe

Sha256 Hash:
e73daa08ae82b4e5a9b7974a4dbfc3e46525258346d73963fed319cd79656ee5   [1]

Malware Information:

VirusTotal Report [1] (hits 8/56 Virus Scanners)
Malwr Report [1]
Hybrid Analysis Report [1] [Detailed Report]


Cheers,

Steve
Sanesecurity.com

14 comments:

Anonymous said...

Just received the same from in two different email address. I.P from Brazil so there mailbox was probably hacked.

Anonymous said...

Also just received the exact same email.

Anonymous said...

I also just received the same email from ron@bellsouth.net

The body of the email is as follows:
invoice as an attachment

Ron Miller
a/k/a : Rotn-Ron


R.M. PRODUCE DISTRIBUTORS, INC.
Phone : 561-439-5569
Fax : 561-439-8991

The person also attatched a zip fileclaiming it was an invoice

Anonymous said...

I also just received the same email from ron@bellsouth.net

The body of the email is as follows:
invoice as an attachment

Ron Miller
a/k/a : Rotn-Ron


R.M. PRODUCE DISTRIBUTORS, INC.
Phone : 561-439-5569
Fax : 561-439-8991

The person also attatched a zip fileclaiming it was an invoice

Anonymous said...

Received same in Ireland. Deleted.

Anonymous said...

I just received 2 of these letters. Both with invoices attached. Since my company has never had any dealings with a produce company, I didn't open the attachments.

Anonymous said...

I just received the same thing here in BC, Canada. I have NO idea who this is so I obviously do not open these. I found this post by googling the phone number in the e-amil.

rfa said...

Received same email 3/4/15

Anonymous said...

Just received this as well. Zip file contains an executable. Obviously don't run this.

Anonymous said...

spam.. here in So.Cal

Anonymous said...

Just received it in BC. Mailscanner caught it but I searched the email to ensure I wasn't deleting a real business email. Thanks for your comments. Deleted.

Anonymous said...

The same,

Kaspersky pure said "virus invoices.exe"
I didn't open the file...

Anonymous said...

a company i work for opened the attachment and it encrypted their whole network.. I tried to use decryptcyrptolocker, but it was unable to decrypt the files. We are restoring from backup.

Backup is far more important than working AV. good luck

Anonymous said...

Thank you Steve for the confirmation that this is a scam. Received it at 10:20 3/4/15. I wish people would get a life!