2013 November 20 13:54 GMT
2014 August 19 12:36 GMT
Email messages that are related to this threat (RuleID7942 and RuleID4626KVR) may contain the following files:
BANK SWIFT MT 103.zip
The Secure_Message.exe file in the Secure_Message.zip attachment has a file size of 13,824 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x3B699A22A8A3706C9521E63F9F598B
The invoice_658293759097294283823_93856978234729.oi.pdf.exe file in the invoice.zip attachment has a file size of 90,795 bytes. The MD5 checksum is the following string: 0x5F694ED920503E2AF93E3094C612AF48
The Swift TT.scr file in the _Swift TT.zip _attachment has a file size of 485,936 bytes. The MD5 checksum is the following string: 0xBEC0B30DC38C31E1124437C1437F90D6
The_ BANK SWIFT.exe_ file in the BANK SWIFT.zip attachment has a file size of 725,096 bytes. The MD5 checksum is the following string: 0x674674219C8B1DCD562BCAF14C278DC4
The Rechnung_25_14_06_8200630274520031_telekom_deutschland_GmbH_9281001.exe file in the 2014_06rechnung_52249826995793_sign.zip attachment has a file size of 132,096 bytes. The MD5 checksum is the following string: 0xCC5D51730DAED56D0D635921F7D84AC9
The_ mt111.exe file in the _BANK SWIFT MT 103.zip attachment has a file size of 848,575 bytes. The MD5 checksum is the following string: 0x2E28C62D855A1C7872AFE7022398AB3A
The Slip Confirm.exe file in the Slip Confirm.zip attachment has a file size of 572,928 bytes. The MD5 checksum is the following string: 0xE58D8308034CD28F9101F05A02188A23
The TRANSF~1.EXE file in the Transferâ€®fdp.zip attachment has a file size of 513,536 bytes. The MD5 checksum is the following string: 0x5DC3A4DC9F031A8049FA196ED9FCC049
The following text is a sample of the email message that is associated with this threat outbreak:
> Subject: You have received a secure message
You have received a secure message
Read your secure message by opening the attachment, Secure_Message.zip. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file
first, then open it in a Web browser. To access from a mobile device, forward this message to firstname.lastname@example.org to receive a mobile login URL.
First time users - will need to register after opening the attachment.
Help - hxxps://mailsafe.keybank.com/websafe/help?topic=RegEnvelope
About IronPort Encryption - hxxps://mailsafe.keybank.com/websafe/about
> Message Body:
Just to notify you that we have made a payment to your company account for USD22,000.00 as instructed by our customer. If delayed in receiving the payment, kindly notify us for further actions.
Attached is the payment swift copy for your reference.
Please open Zip and click to RUN download, do check if your account details is writing correctly.
Please confirm receipt and feel free to contact me if anything.
Thanks and best regards,
> Message Body:
Please find the attach copy as instructed the total amount was transferred to your account and please confirm back the invoice copy as
reference via office email as soon as you get this.
Please reply only through our new email address.
Thanks and regards,
> Subject: Ihre Telekom Mobilfunk RechnungOnline Monat Juni 2014
Telekom - erleben, was verbindet.
Ihre Rechnung für Juni 2014
Sehr geehrte Damen und Herren,
mit diesem Schreiben erhalten Sie eine Benachrichtigung über Ihre aktuelle Rechnung. Die zur Zahlung fällige Summe für Juni 2014 beläuft sich auf: 325,86 Euro.
Im Anhang finden Sie die gewünschten Dokumente zu Ihrer Mobilfunk RechnungOnline für Juni 2014.
Dies ist eine im automatischen Modus generierte E-Mail. Bitte nicht darauf antworten.
Mit freundlichen Grüßen
> Message Body:
Herewith I sent you a copy of Bank Swift copy MT 103. Payment against the proforma invoice.
Please check with your bank and confirm date of shipment.
Mr. Abdul Nasser Sokariah
> Subject: Transfer balance payment
Kindly find attached the outward remittance slip of the payment that was transferred to your account and let us know when the shipment will commence.
We Sincerely Hope To Hear From You Soon
Thanks & Regards
> > Cisco Security analysts examine real-world email traffic data that is collected from over 100,000 contributing organizations worldwide. This data helps provide a range of information about and analysis of global email security threats and trends. Cisco will continue to monitor this threat and automatically adapt systems to protect customers. This report will be updated if there are significant changes or if the risk to end users increases.
Cisco security appliances protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. Email that is managed by Cisco and end users who are protected by Cisco Web Security Appliances will not be impacted by these attacks. Cisco security appliances are automatically updated to prevent both spam email and hostile web URLs from being passed to the end user.
Add to Skype
You'll need Skype CreditFree via Skype
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products