TIP: Click on subject to list as thread! ANSI
echo: internet
to: ALL
from: AUGUST ABOLINS
date: 2020-03-31 21:59:00
subject: another one phishing for
Received another suspicious email with a "Resumé" attachment just now.

No password version.

I renamed the file:

XXXXJohn Smith Resume.xls

Send it to VirusTotal.  Only ONE engine of many detected this thing.


 TACHYON == Trojan/XF.Downloader.Gen


I looked inside the file and noticed a few clues in the clear (but I obscured a
few things here with #### so no one inadvertently clicks on a link):

 C:\XTHbSJX\hQPDpQm\yNuMyDc.dl

 http://march262020.####/files/bot.dll

 URLDownloadToFileA

 http://march262020.####/files/bot.dll

 rundll32.exe,DllRegisterServer

 http://march262020.####/files

 CreateDirectory

 ShellExecute

 /bot.dll

 Excel 4.0 Macros


Very telling!  Seems to me, that the simplest infection mechanism can still
find
an unsuspecting victim.

The domain reference above pointed to:

 Source:  whois.apnic.net (APNIC serves the Asia Pacific region)
 IP Address:  170.106.11.8

But it arrived via Germany:

 X-EN-OrigIP: 194.25.134.80  <== via RIPE
 Received: from fwd17.aul.t-online.de (fwd17.aul.t-online.de [172.20.27.64])
 Received: from t-online.de ([64.145.94.242]) by fwd17.t-online.de

Sneaky buggers, eh?

--- TB68.4.1/Win7
* Origin: nntp://rbb.fidonet.fi - Lake Ylo - Finland (2:221/360.0)
SOURCE: echomail via QWK@docsplace.org

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.