Tuesday, 31 March 2015

alwayscareer.com job scam

alwayscareer.com job scam is trying to give you a fake job....

Message Headers:
Subject: Career
Subject: Employment
Subject: New position for you
Subject: Start you career with us!

Message Body: 
Do you want to earn extra money?

Internet Manager is needed [Part-Time/Flexible Schedule]

Main Responsibilities:
- Data analysis
- Inspect and forward mail
- Keep records

Skills:
- Basis of internet surfing
- Ability to perform simple math calculations
- Basic knowledge of MS Office

Simply visit our site: www.alwayscareer.com
and leave your E-mail

We will get back to you soon as possible!
Website looks like this:


Whois information for the domain:
Domain Name: ALWAYSCAREER.COM
Registrar: BIZCN.COM, INC.
Sponsoring Registrar IANA ID: 471
Whois Server: whois.bizcn.com
Referral URL: http://www.bizcn.com
Name Server: NS1.HOSTWOMEN.NET
Name Server: NS2.HOSTWOMEN.NET
Updated Date: 31-mar-2015
Creation Date: 31-mar-2015
 Expiration Date: 31-mar-2016

Domain name: alwayscareer.com
Registry Domain ID: 1915205499_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.bizcn.com
Registrar URL: http://www.bizcn.com
Updated Date: 2015-03-31T10:58:38Z
Creation Date: 2015-03-31T10:58:56Z
Registrar Registration Expiration Date: 2016-03-31T10:58:56Z
Registrar: Bizcn.com,Inc.
Registrar IANA ID: 471
Registrar Abuse Contact Email: abuse@bizcn.com
Registrar Abuse Contact Phone: +86.5922577888
Reseller: Cnobin Technology HK Limited
Registry Registrant ID: 
Registrant Name: Carmen Moore
Registrant Organization: Carmen D. Moore
Registrant Street: 496 Sugar Camp Road
Registrant City: Dodge Center
Registrant State/Province: MN
Registrant Postal Code: 55927
Registrant Country: us
Registrant Phone: +1.5076330172
Registrant Phone Ext: 
Registrant Fax: +1.5076330172
Registrant Fax Ext: 
Registrant Email: info@alwayscareer.com
Registry Admin ID:

Cheers,
Steve
Sanesecurity.com

Aomame Insurance Team Policy No: user

Aomame Insurance Team  Policy No: user email with a zip attachment...

Headers:
From: user {office@aomame.com}
Subject: Policy No: n7CRtsuf
Message body:
 Dear Mrs.

Please find attached a communication in respect of policy n7CRtsuf from
Aomame. Please do not reply to this email, as the mailbox is unattended

Kind regards

Your Aomame Insurance Team

There's a Zip file attached to the email:
g6GjD8EyZ.zip

Inside the Zip file is a Windows Executable file:
Reference.exe
Sha256 Hashes:
02eed15f6426ccf31d0aa3fdceb474bed6d01be349a33fa4eb426ea3206c90fd  [1]

Malware Anti-Virus Reports (one example)
VirusTotal Report [1] (hits 2/57 Virus Scanners)
Malwr Report [1]
Hybrid Analysis Report [1]

Cheers,
Steve
Sanesecurity.com

CollectPlus :: Your returns label info@collectplus.co.uk

CollectPlus :: Your returns label info@collectplus.co.uk email with a zip attachment...

Headers:
From: info {info@collectplus.co.uk}
Subject: CollectPlus :: Your returns label
Message body:
        Thank you for your order

Simply attach the label securely to your parcel and drop it off at any
shop offering CollectPlus services. The shopkeeper will scan your parcel
and you will be given a receipt as proof of postage, including a
tracking code to follow your parcels to their destination.

 Kind regards,

THE COLLECTPLUS TEAM

         If you have a complaint about our service you can contact us by email
at info@collectplus.co.uk or by writing to us at the address below.

 REGISTERED ADDRESS: (PLEASE DO NOT SEND YOUR PARCELS TO THIS ADDRESS)
 CollectPlus (Drop & Collect Ltd.), Victoria House, 49 Clarendon Road,
Watford, Hertfordshire, WD17 1HP
REGISTERED NUMBER: 06593233
VAT NUMBER: 946830691
TEL: 01923 601616

 Please note that CollectPlus provides a service for the transport of
goods with a specified timeframe for delivery, therefore customers do
not have a right to cancel the Order under the Consumer Contracts
(Information, Cancellation and Additional Payments) Regulations 2013
(Regulation 28(1)(h)). This does not affect your right to cancel a label
in accordance with the instructionsabove.

There's a Zip file attached to the email:
g6GjD8EyZ.zip

Inside the Zip file is a Windows Executable file:
Reference.exe
Sha256 Hashes:
bd92cf075a76d9ff085b8d3b408b12910890c223a80919775b8ba3d6a21f3a48 [1]

Malware Anti-Virus Reports (one example)
VirusTotal Report [1] (hits 5/57 Virus Scanners)
Malwr Report [1]
Hybrid Analysis Report [1]

Cheers,
Steve
Sanesecurity.com

Debit Note [ ] information attached to this email

Debit Note [99896] information attached to this email emails with an attached word document containing a macro.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Message Header::
Subject: Debit Note [99896] information attached to this email
From: Elvia Evans
Message Body:
N/A

 Attachment:
09185035.doc
Sha256 Hashes:
24a00991acf2448cb428e9a8a57e54365e1cb51673b416c6ce70fc5f57d5aefb
531cd466540ce4475849532444f60e8d4dace097a73dc0d27855aced4b5c55d3
57d7684839101600400a87b87b693d3194911d53a611a301e60a212d48ad3265
7f2ad96dd55263e7e810e51f3d2a6b658dbbd33f4e70333ab5a3c608430c7195
84a53e29c4a1016ed25b38b62742e23839e8285ff9a10fe2190468e48088759c
a3f46b16fd25a9d8bfd8c7e8d041903f6769114a9c46d6c13b80814691bf424e
bafbeb98f2878d88a6d37b64a47eb789d3459c5d6f787e671a01e156bbfb0044
c7016f7a317df006a6e10acbb017894dc1ae955b3a66a7d5c80e556c1331f03b
cda256163613aeaa8f4e2fad66ef4a847392d359996ff63f30e338824ad8fb2a
d5bca64e83d8bb5dd7c2ebbf1ec548235e8bc81df4fd6bc4ef2b9e9bb5cddf58
e1fa9f7c95cd97a07fe024f73367896fde0a27905c5464d4ad74a0563cdb788f
Malware Virus Scanner Reports:
N/A

NOTE

The current round of Word/Excel/XML attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

Be Wiser Insurance sales@bewiser.co.uk Your Quotation

Be Wiser Insurance sales@bewiser.co.uk Your Quotation email with a zip attachment...

Headers:
From: Office {sales@bewiser.co.uk}
Subject: BR:Hq32h - Your Quotation

Message body:
Dear Mrs, 

YOUR REFERENCE: BR:Hq32h 

 Thank you for your enquiry.

 We are pleased to confirm your quotation as attached.

 Please contact us on 0800 0111742 to start cover.

 Yours sincerely,

QUOTE WISER 
TEL: 0800 0111742 

OFFICE OPENING HOURS:

 Monday to Friday: 9:00AM   TO 9:00PM
 Saturday: 9:00AM   TO 6:00PM
 Sunday: 10:00AM   TO 4:00PM

Be Wiser Insurance is a trading name of Be Wiser Insurance Services Ltd.
Registered in England No. 6097813 Registered Office: Barrett House,
Savoy Close, Andover, Hampshire SP10 2HZ Authorised and Regulated by the
Financial Conduct Authority 

There's a Zip file attached to the email:
BR:Hq32h.zip

Inside the Zip file is a Windows Executable file:
Reference.exe
Sha256 Hashes:
e9f70dc57429e9af040890c2839f0e3c318432c6c9fd8c41d9277a64f19f4127

Malware Anti-Virus Reports (one example)
VirusTotal Report [1] (hits 3/57 Virus Scanners)
Malwr Report [1]
Hybrid Analysis Report [1]

Cheers,
Steve
Sanesecurity.com

Your Latest Documents from RS Components

Your Latest Documents from RS Components emails with an attached word document containing a macro.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Message Header::
From: Fredrick Taylor {Alberta.ef@airtelbroadband.in}
Subject: 92759-Your Latest Documents from RS Components 745154479
Message Body:
Dear Customer,

Please find attached your latest document(s) from RS.

Account Number  Date  Invoice Number  Document Total  Document Type
69872148 31-Mar-2015  745154479 £3183.51   Invoice

For all account queries please contact RS Customer Account Services.

Tel: 01536 505232
Fax: 01536 645523
Email: rpdf.billing@airtelbroadband.in (subject box to read DOC eBilling)

If you have any technical problems retrieving your documents please contact Swiss Post Solutions Helpdesk on the following:

Tel: 0333 5871425
Email: customers@airtelbroadband.in

Kind regards,
RS Customer Account Services.

This service is provided by Swiss Post Solutions on behalf of RS Components.

 Attachment:
G-A9625172178791500016138-1.doc
Sha256 Hashes:
b8c12120fc8298f3cf9e637ddd73eca9e0f88f516cae7f00d9ce13360d625988 [1]
0c6ce8e5aebb40a22a771a9f9be2aab686260e5e00aa8a482b4306bf6b443603 [2]
01f30887a828344f6cf574bb05bd0bf571fc35979a3032377b95fb0d692b8061 [3]
0c6ce8e5aebb40a22a771a9f9be2aab686260e5e00aa8a482b4306bf6b443603 [4]
b8c12120fc8298f3cf9e637ddd73eca9e0f88f516cae7f00d9ce13360d625988 [5]
01c7034df81d80a0112c29e8fdde2d9949017c8ac24c0979cee5fe167b65af1c [6]
Malware Virus Scanner Reports:
VirusTotal Report: [2] (Detection 0/57)
VirusTotal Report: [3] (Detection 0/57)
VirusTotal Report: [4] (Detection 0/57)
VirusTotal Report: [5] (Detection 0/57)
VirusTotal Report: [6] (Detection 0/57)

NOTE

The current round of Word/Excel/XML attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

FW: Passport copy salim@humdsolicitors passport.doc

FW: Passport copy salim@humdsolicitors.co.uk passport.doc emails with an attached word document containing a macro.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Message Header::
From: {salim@humdsolicitors.co.uk}
Subject: FW: Passport copy
Message Body:
From: Raad Ali [mailto:raaduk@hotmail.com]
Sent: 26 March 2015 08:03
To: salim
Subject: Passport copy

Salam Salim,

Please find attached copy of the passport for my wife and daughter as requested. please note we need to complete on the purchase in 4 weeks from the agreed date.


  Salam

Raad Ali

 Attachment:
passport.doc
Sha256 Hashes:
323858d729f1b817e46ba5611dcc3db4f75ab5aff755816ac0f3377fe00ad205 [1]
b9ea8919f08be5d36bc1f01f2483fcfc51c31ce43f1267ca647b4c79977ccfdb [2]
4ae569a4db5d00c47a5154741eb2d14c91377d4838b89db9c9a1fb2fdcfdf137 [3]
6f526a77f0e405ae2b82baad2eddcd20ff9fc69fe0b8c2cb125e67453952d8fc [4]
978632b2fdf4f7e360cc797538b69ca066f75369afeef1796dabdadcf71ff1cb [5]
2ab3c31a5aa9bedf3c8dacde246b29cbb506e5b5b65dc175b364e9cdb15e43b4 [6]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (Detection Ratio: 5/57)
VirusTotal Report: [2] (Detection Ratio: 5/57)
VirusTotal Report: [3] (Detection Ratio: 5/57)
VirusTotal Report: [4] (Detection Ratio: 5/57)
VirusTotal Report: [5] (Detection Ratio: 5/57)
VirusTotal Report: [6] (Detection Ratio: 5/57)

NOTE

The current round of Word/Excel/XML attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

CIT Inv# 15013919 for PO# SP1438 Circor

CIT Inv# 15013919 for PO# SP1438 Circor emails with an attached word document containing a macro.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Message Header::
From: "Circor" {DONOTREPLY_JDE@CIRCOR.COM}
Subject: CIT Inv# 15013919 for PO# SP14384
Message Body:
Please do not respond to this email address.  For questions/inquires, please
contact our Accounts Receivable Department.


______________________________________________________________________
This email has been scanned by the MessageLabs outbound
Email Security System for CIRCOR International Inc.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

 Attachment:
FOPRT01.DOC
Sha256 Hashes:
dad4b38390ac36664f0a02cb62ded900c0895c0d7c3943e7c75ac283cce0bfe2 [1]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (Detection Ratio: 5/57)

Malwr Report: [1]
Hybrid Analysis Report: [1]

NOTE

The current round of Word/Excel/XML attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

Your PO: SP14619 sales@alicorp.com

Your PO: SP14619 sales@alicorp.com emails with an attached word document containing a macro.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Message Header::
From: sales@alicorp.com (Sam S.)
Subject: Your PO: SP14619
Message Body:
Your PO No: SP14619 for a total of $ 13,607.46
has been sent to New Era Contract Sales Inc. today.

A copy of the document is attached

Regards,
New Era Contract Sales Inc.'s Document Exchange Team

 Attachment:
APIPO1.doc
Sha256 Hashes:
323858d729f1b817e46ba5611dcc3db4f75ab5aff755816ac0f3377fe00ad205 [1]
b9ea8919f08be5d36bc1f01f2483fcfc51c31ce43f1267ca647b4c79977ccfdb [2]
4ae569a4db5d00c47a5154741eb2d14c91377d4838b89db9c9a1fb2fdcfdf137 [3]
6f526a77f0e405ae2b82baad2eddcd20ff9fc69fe0b8c2cb125e67453952d8fc [4]
978632b2fdf4f7e360cc797538b69ca066f75369afeef1796dabdadcf71ff1cb [5]
2ab3c31a5aa9bedf3c8dacde246b29cbb506e5b5b65dc175b364e9cdb15e43b4 [6]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (Detection Ratio: 5/57)
VirusTotal Report: [2] (Detection Ratio: 5/57)
VirusTotal Report: [3] (Detection Ratio: 5/57)
VirusTotal Report: [4] (Detection Ratio: 5/57)
VirusTotal Report: [5] (Detection Ratio: 5/57)
VirusTotal Report: [6] (Detection Ratio: 5/57)


Malwr Report: [1]
Hybrid Analysis Report: [1]

NOTE

The current round of Word/Excel/XML attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

Saleem Nadapuram INVOICE

Saleem Nadapuram INVOICE email with an  Ace attachment...

Headers:
Subject: Fwd: INVOICE
From: Saleem Nadapuram {nadapurams@gmail.com}
Message body:
Good Day Sir

Please find attach copy of invoice we receive from you, and reconfirm
to us before we proceed with the payment

Best Regards
Mr.Saleem

There's a Ace file attached to the email:
INVOICE...ace

What on earth is Ace ? Here comes a bit of retro....
ACE is a proprietary data compression archive file format developed by Marcel Lemke.  It was very popular around 1999–2001, which at the time provided slightly better compression than RAR.   So, it's certainly a blast from the past ! 

Inside the Ace file is a Windows Executable file:
INVOICE..exex
Sha256 Hash:
5f20238b7d7684b10df695ae3ee56dd1e656e692fcdda30255c218f81d7bda39  [1]

Malware Anti-Virus Reports:
VirusTotal Report [1] (hits 26/57 Virus Scanners)
Malwr Report [1]
Hybrid Analysis Report [1]

Cheers,
Steve
Sanesecurity.com

Global Payments Inc payment & invoice list globlpays@hotmail.com

Global Payments Inc globlpays@hotmail.com payment & invoice list emails with an attached word document containing a macro.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Message Header::
From: "Global Payments Inc"{globlpays@hotmail.com}
Subject: Balance Payment
Message Body:
Dear Sir/Madam,

Attached is a payment order at the request of our customer.
The payment instructions came from our branch in Europe, please
review this payment order and reconfirm before we permit this transfer
Kindly forward to the appropriate person to oversee this order properly.

Thank you,
Yours faithfully,
Global Payments and International Transfers
Barclays Bank
0800 197 1150 - Lines are open Monday-Friday 8am-10pm

 Attachment:
payment & invoice list.doc
Sha256 Hashes:
ac38422d2ce0f51f6c102d912978d2eaafc7cf163b97aeed83030bd4b556486d [1]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (Detection Ratio: 13/57)
Malwr Report: [1]
Hybrid Analysis Report: [1]

NOTE

The current round of Word/Excel/XML attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

Monday, 30 March 2015

Quotation energy-solutions Mark Kemsley

Quotation energy-solutions Mark Kemsley email with a zip attachment...

Headers:
From: Mark Kemsley {mark.kemsley@energy-solutions.co.uk}
Subject: Quotation :CcPNkt
Message body:
Further to our conversation earlier, please find attached quotation :CcPNkt, 
data sheet included.

There's a Zip file attached to the email:
:CcPNkt.zip

Inside the Zip file is a Windows Executable file:
Quotation.exe
Sha256 Hash:
1a56353bf1cb73db3a72832f8f8255f500f4a41bbab18203d7e37f349eed789f  [1]

Malware Anti-Virus Reports (one example)
VirusTotal Report [1] (hits51/57 Virus Scanners)
Malwr Report [1]
Hybrid Analysis Report [1]

Cheers,
Steve
Sanesecurity.com

New Order Inquiry Apagrip Ltd A. A. Snowden

New Order Inquiry Apagrip Ltd A. A. Snowden  malware....


Headers: (example)
Subject: New Order Inquiry
From: "A Snowden" {info@sosads22.com}
Message body (example)
Dear Sir
Please see if your company will be able to supply the following products as attached within the specified time limit. If you can meet up with the supply kindly send us your quote as attached.
We will require all quote to be in US dollars.
We are waiting for your reply as soon as you can and do not forget to include the following:
1). The payment Terms
2).CIF
3).possibe delivery time Sincerely,
A. A. Snowden
Apagrip Ltd
The Download/View links in the message body, if clicked, download a Windows Executable file:
h t t p://pinetrades.com/PO-100729.exe

Sha256 Hashes:
1ea560ea6d7b723313419c77f1c46fb727d371c78157a71459b6a3f04ffb2902    [1]
Malware Information:

VirusTotal Report [1] (hits 4/57 Virus Scanners)

Malwr Report [1]

Hybrid Analysis Report [1]

Cheers,

Steve
Sanesecurity.com

Hola my photo my_new_photo_ zip Jessica

Hola my photo my_new_photo_ zip Jessica malware....


Headers: (example)
From: "Jessica" {valise6@carscover.com}
Subject: Hola my photo
Message body (example)
hola my new photo , send u photo
Attached to the email is a Zip file:
my_new_photo_382472389.zip

Inside the zip, is Windows executable:
my_new_photo_382472389.exe
Sha256 Hashes:
e360635ceb7a5e6048d838c3e649949791fe806813865f89b837304322a65dcb   [1]
Malware Information:

VirusTotal Report [1] (hits 2/57 Virus Scanners)

Malwr Report [1]

Hybrid Analysis Report [1]

Cheers,

Steve
Sanesecurity.com

Vistaprint VAT Invoice VistaPrint-cc email

Vistaprint VAT Invoice email with a zip attachment...

Headers:
From: Vistaprint {VistaPrint-cc@vistaprint.com}
Subject: Vistaprint VAT Invoice (330142496)

Message body:
Invoice Number: 330142496
Invoice Date: 3/30/2015
Delivery Date: 3/30/2015
The Netherlands Payment Date: 3/20/2015
Order Number: nLhs-tNyCT-qMW

There's a Zip file attached to the email:
6Lx7Uuuyr.zip

Inside the Zip file is a Windows Executable file:
 Invoice_1.exe
Sha256 Hashes (one example)
733dbcc33cd08ac2ff6355df4e2886729a30bbfb9d857beb3c190183d833948b   [1]

07ce38d3c9f1cee817f39e88d51d9699b0279b40e54560e710ee85a76d4b02e6
1452eee9d719a400679fb0156ee619c6c615ed5d747ce0b8bbad7aeabfa0f718
14bb99c73842185070d05b72c4377d2539c58caf84031897b513505a00f99938
274e2d2feaa40c3365742669172fd3838f262f673552a9ee86b856feac218b08
38513535de02f4ca268c0222f792546b08ab569697043d3b6f0f00462e71c667
39738ebc512b12ab7395881e2844db5b40886d254bbbca207504444b31ff6d94
4dc8eb1fc7cf9f0a2c9c40da357817cfaa6fda646df711934a23e3b8ca765afc
6434da7c50e17d1d13dbc333da2c1b94ef7073fef5c5126b8b0adb5036b67ed5
6d8f83af8cb834a6fa81f4e62f05ba936be9bccc6f3cba3b5c054aecd4348b94
9b474d766f52bf8d7165926aa80c69ea4a57d1274288e57d6abca8a5fbe101e7
a676e588ae8c289b23674d4645609f0a2394aa3f33c7d1d8d4b2762eb26dd0ad
c1afd7428c8becfa00c0ec30881f9368dc2534bc93c2cbd4acb8fe2e21927044
c9bf209bb0481c6df23cff155aee9a948a05f2d16164443d4def5fc18d1494a4
cb7bc116cf96728697f03b280434900f06801607fc9667acf8c338b67ee57bf0
d661ece27c9ea42034d453c98163ebca7f8a632419df95d96989943b6006dbeb
e130768f67f0314033254bd38ca8f7be56da9280bd5ce56f48094a32e471d51f
e75dbe549c3f4cb2de92b5615e3f6311ab547c1ad29d8dd49d4af8a97f17fa49

Malware Anti-Virus Reports (one example)
VirusTotal Report [1] (hits 1/57 Virus Scanners)
Malwr Report [1]
Hybrid Analysis Report [1]

Cheers,
Steve
Sanesecurity.com

Devaki(Manager of Importation)Ras Trading Co (Libya)


Devaki(Manager of Importation)Ras Trading Co (Libya) email with a New_Order_PO3482045_pdf.jar attachment...
Headers:
From: "IMPORT" {devaki.trg@ushafire.in}
Message body:
Greetings!

Kindly Find attached our final Purchase order for March 2015, 

Please send us invoice. We Plead you to give us discount with your
best price.

I await the invoice asap.

       
Best Regards

  
Devaki(Manager of Importation)Ras Trading Co  (Libya):Algeria St. ,
near Kick off ShopsGaryunis Area, Benghazi, Libya

There's a Jar file attached to the email:
New_Order_PO3482045_pdf.jar

Inside the Jar file is a Windows Executable file (Note the dual extension trick):
New Order PO3482045,pdf.exe
Sha256 Hashes (one example)
6a9f2769769bd32c6f31b6ac45c7d8a6decd6263692bb21418f80f494a69e8e0  [1]

Malware Anti-Virus Reports (one example)
VirusTotal Report [1] (hits 10/57 Virus Scanners)
Malwr Report [1]
Hybrid Analysis Report [1]

Cheers,
Steve
Sanesecurity.com

podanie ant@o2.pl podanie do DZ kor.zip

podanie ant@o2.pl  podanie do DZ kor.zip incoming malware

Headers:
From: ant@o2.plSubject: podanie
Message body:
Z powa┼╝aniem


There's a Zip file attached to the email:
podanie do DZ kor.zip

Inside the Zip file is an Windows Executable file (Note: the double extension trick)
podanie do SV kor.docx.exe
Sha256 Hashes:
 8b56996697f4627101b858067690eef4dcd6eaef9743c23bc67edf06618c31a1   [1]

Malware Information:

VirusTotal Report [1] (hits 1/56 Virus Scanners)

Malwr Report [1]

Hybrid Analysis Report [1]

Cheers,

Steve
Sanesecurity.com

digitalstrade.com job scam

digitalstrade.com job scam is trying to give you a fake job....

Message Headers:
Subject: Career
Subject: Employment
Subject: New position for you
Subject: Start you career with us!

Message Body: 
Do you want to earn extra money?

Internet Manager is needed [Part-Time/Flexible Schedule]

Main Responsibilities:
- Data analysis
- Inspect and forward mail
- Keep records

Skills:
- Basis of internet surfing
- Ability to perform simple math calculations
- Basic knowledge of MS Office

Simply visit our site: www.digitalstrade.com
and leave your E-mail.

We will get back to you soon as possible!
Website looks like this:


Whois information for the domain:
Domain Name: DIGITALSTRADE.COM
Registrar: BIZCN.COM, INC.
Sponsoring Registrar IANA ID: 471
Whois Server: whois.bizcn.com
Referral URL: http://www.bizcn.com
Name Server: NS1.HOSTWOMEN.NET
Name Server: NS2.HOSTWOMEN.NET
Updated Date: 27-mar-2015
Creation Date: 27-mar-2015
Expiration Date: 27-mar-2016

Domain name: digitalstrade.com
Registry Domain ID: 1913754435_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.bizcn.com
Registrar URL: http://www.bizcn.com
Updated Date: 2015-03-27T07:54:08Z
Creation Date: 2015-03-27T07:54:09Z
Registrar Registration Expiration Date: 2016-03-27T07:54:09Z
Registrar: Bizcn.com,Inc.
Registrar IANA ID: 471
Registrar Abuse Contact Email: abuse@bizcn.com
Registrar Abuse Contact Phone: +86.5922577888
Reseller: Cnobin Technology HK Limited
Registry Registrant ID: 
Registrant Name: Billy Callahan
Registrant Organization: Billy C. Callahan
Registrant Street: 3808 Quincy Street
Registrant City: Fort Washington
Registrant State/Province: PA
Registrant Postal Code: 19034
Registrant Country: us
Registrant Phone: +1.2674872380
Registrant Phone Ext: 
Registrant Fax: +1.2674872380
Registrant Fax Ext: 
Registrant Email: info@digitalstrade.com
Registry Admin ID:

Cheers,
Steve
Sanesecurity.com

Friday, 27 March 2015

MSBA 27th, 2015 NVDB@nasa.gov

MSBA 27th, 2015 NVDB@nasa.gov email.invoice email with a zip attachment...

Headers:
From: MSBA {NVDB@nasa.gov}
Subject: MSBA 27th, 2015

Message body:
Good Afternoon.

MSFC has posted the upcoming MSBA 27th event on NAIS and
Fed Biz Ops (Solicitation No.: SB-26790).

NAIS Posting:
Please click on
Mod. 1 Posting.

Attached is the MSBA Agenda.

Please join us for this event!

There's a Zip file attached to the email:
SXKPfUE:.zip

Inside the Zip file is a Windows Executable file:
MSFC.exe
Sha256 Hashes (one example)
84d24b6827f8f539fccab694c80966936317d576d26256ecd91524ea9dbae8c1  [1]

Malware Anti-Virus Reports (one example)
VirusTotal Report [1] (hits 3/57 Virus Scanners)
Malwr Report [1]
Hybrid Analysis Report [1]

Cheers,
Steve
Sanesecurity.com

UK Fuels ebill for ISO Week 201512 22328_201512.doc

UK Fuels ebill for ISO Week 201512 22328_201512.doc emails with an attached word document containing a macro.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Message Header::
From: {invoices@ebillinvoice.com}
Subject: UK Fuels ebill for ISO Week 201512
Message Body:
Customer No : 22328
Email address :
Attached file name : 22328_201512.doc

Dear Customer

Please find attached your UK Fuels invoice for ISO Week 201512.

If you have any queries regarding your e-bill you can contact us at invoices@ebillinvoice.com. Alternatively you can log on to your account at www.velocitycardmanagement.com to review your transactions and manage your account online.

Yours sincerely

Customer Services
UK Fuels Limited

 Attachment:
22328_201512.doc
Sha256 Hashes:
a934018b9b6ff900b391d18b4e9432b1d1322f6ca3bf08ca152472cc144560db [1]
b4319a6f2bc4b60783e83a169b73a3705aabbe6ac70320bb554cd2da4528d243 [2]
c6044a0cb8c2d1f8555939864d6e4008edf7ef81de34e94156d9529a3788127f  [3]
98996970e7a80c7d049a06205a026ccbbb3b42fa5c365a7b46df651846b41c32 [4]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (Detection Ratio: 2/57)
VirusTotal Report: [2] (Detection Ratio: 2/57)
VirusTotal Report: [3] (Detection Ratio: 2/57)
VirusTotal Report: [4] (Detection Ratio: 2/57)

NOTE

The current round of Word/Excel/XML attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

Avance Grupo PRICE QUOTATION Esteban Trujillo

Avance Grupo PRICE QUOTATION Esteban Trujillo email with an attached gzip fil.

Headers:
From: "Esteban Trujillo " {info@avance.co}
Subject: PRICE QUOTATION
Message body:
ATT:

FROM: Avance Grupo Empresarial
DATE: 26 /03 / 2015

Please check the attachment  for our new order with product
specifications
and send me your offer with reasonable PRICE QUOTATION,
Hope to establish a long term relationship with your company.

We expecting your competitive prices.

Thank you and best regards.

Esteban Trujillo Monsalve
Director Comercial
Avance Grupo Empresarial
C + 57 3206900079
T + 574 4440659
www.avance.co

There's a GZip file attached to the email:
PO_3400.gz

Inside the GZip file is a Windows Executable:
Copy_3400.scr
Sha256 Hashes:
 cdc653b9624153b2c06bedb35db31754a2ebeac380d83b4af5e5781015c6528d   [1]

Malware Anti-Virus Reports:
VirusTotal Report [1] (hits 5/57 Virus Scanners)
Malwr Report [1]
Hybrid Analysis Report [1]

Cheers,
Steve
Sanesecurity.com

Thursday, 26 March 2015

Package Delivery Notification UPS Quantum View

Package Delivery Notification UPS Quantum View emails with an attached word document containing a macro.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Message Header::
Subject: Package Delivery Notification #  HHXGBXE838HHXGBXE481
From:
Message Body:
Package invoice delivery confirmation for HHXGBXE838HHXGBXE481

The shipping invoice can also be downloaded from:
https://wwwapps.ups.com/WebTracking/track?loc=en_cbviewreceipt;jsessionid=HHXGBXE838HHXGBXE481;tracking=A9D

*** This is an automatically generated email send toxxxxx@xxxxxx , please do not reply ***

 Attachment:
InvoiceID-FGE0AL85ISY0QMQCN8.doc
Sha256 Hashes:
e5164607ffbb6205024d5ab70d90e5ed4c45ecde35b1e1d89a0832e0cb8eddc0 [1]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (Detection Ratio: 4/57)

NOTE

The current round of Word/Excel/XML attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

Activity Alert: A Check Exceeded Your Requested Alert Limit Bank of America Alert

Activity Alert: A Check Exceeded Your Requested Alert Limit Bank of America Alert email with a zip attachment...

Headers:
From: "Bank of America Alert" {onlinebanking@ealerts.bankofamerica.com}
Subject: Activity Alert: A Check Exceeded Your Requested Alert Limit

Message body:
Activity Alert
A check exceeded your requested alert limit
We're letting you know a check written from your account went over the limit you set for this alert.
For more details please check attached file

Amount:
$32,692.80

Check number:
00000002618

Transaction date:
03/26/2015
You can sign in to Online or Mobile Banking to review this activity. If you don't recognize this transaction, please call us at 1.888.287.4637.


There's a Zip file attached to the email:
report_77076291400.zip

Inside the Zip file is a Windows Executable file:
report_77076291400.scr
Sha256 Hashes (one example)
7db0da727b6a2f1b135959aefbc260048c06f2d4ae5faf13ac57c9fe7ad153d5    [1]

Malware Anti-Virus Reports (one example)
VirusTotal Report [1] (hits 5/57 Virus Scanners)
Malwr Report [1]
Hybrid Analysis Report [1]

Cheers,
Steve
Sanesecurity.com

Yarde Metals Invoice email.invoice

Yarde Metals Invoice email.invoice email with a zip attachment...

Headers:
From: "email.invoice" {email.invoice@yarde.com}
Subject: Yarde Metals Invoice

Message body:
Thank you for your order.

Attached is your original invoice. If you would
like to pay for
your order with a wire transfer please contact Angela Palmer

at 860-406-6311 for bank details.

Friendly reminder:
Yarde Metals terms
are 1/2% 10, Net 30. We appreciate your prompt payment.

There's a Zip file attached to the email:
{xo1gd3E:.zip

Inside the Zip file is a Windows Executable file:
221324.exe
Sha256 Hashes (one example)
6e22d47c76efa1c5d2c957a64be877a9901ae188b51a67ea84f382dfb7b9d941   [1]

Malware Anti-Virus Reports (one example)
VirusTotal Report [1] (hits 3/57 Virus Scanners)
Malwr Report [1]
Hybrid Analysis Report [1]

Cheers,
Steve
Sanesecurity.com