CiscoCISCO-THREAT-44562Threat Outbreak Alert RuleID22154: Email Messages Distributing Malicious Software on August 31, 2016
Medium
Alert ID:
44562
First Published:
2016 April 8 18:54 GMT
Last Updated:
2016 September 1 13:22 GMT
Version:
23
Summary
- Cisco Security has detected significant activity related to spam email messages distributing malicious software.
Email messages that are related to this threat (RuleID22154 and RuleID22154KVR) may contain the following files:
| Name | Size in Bytes | MD5 Checksum |
|---|---|---|
| scan-TT01193.zip / scan-TT01193.exe | ||
| 286,720 | ||
| 0x51FD5573089DBE9a7EF28D191a4E49B4 | ||
| scan-TT04411.zip / scan-TT04411.exe | 335,872 | 0x607A1544A1639A556A61185089D3E28B |
| Scan99567432.zip / INVOICES.exe | ||
| 899,072 | 0xCBE2E81951F84A7D0F046AA0CFB3DCA0 |
Scan_0047402 _pdf.zip / Scan_order_02300420002 _pdf.exe
| 468,480
| 0xE2EA90558B88AF839BA1433658E0BEB8
scan #09961208904 JPEG.zip / scan #89757882990 JPEG.jpeg.exe | Not Available | 0xB95268BE93D4F410FABCE5BE893A06FC
Scan00037768.zip / INVOICES.exe | 697,856 | 0x61DC26758935E3CC257F0E434FF0DBFD
Scan0000032.zip / Scan0000032.exe | 519,993
| 0x11E23A433BB4BA09571464BA599CEE72
Scan0216 SWIFT.zip / Scan0216 SWIFT.exe | 826,368 | 0xE502FBE2D75C9EAA8423D23BE3C99997
scan_TT011883.zip / scan_TT011883.exe | 315,392
| 0x1274DC73B55E137ADEC70691759E664F
SCAN_000017302-pdf.zip / SCAN_000017302-pdf.exe | 449,536
| 0xF22737FEFDF703BC5E26FFF01BCD03
scan_TT08811.zip / scan_TT08811.exe | 270,336 | 0xB0A64D3CCC62A917597E9CA29E4D7767
scan_TT0211881.zip / scan_TT0211881.exe | 212,992 | 0x2017DB4F0D0A9FE1A7EBC2150A873DB3
scan 01 pdf.zip / scan 01 pdf.exe | 909,824
| 0xF650CA0F3FCEE2F2FFDD17234A353295
scan_TT02206.zip / scan_TT02206.exe | 208,896
| 0x49C00CAAB5DA2E0AF4AD7B0C7EA1B38D
scanned copy.zip / scanned copy.exe | 1,526,272 | 0xDF8AE3899071C8B0427C7D02C3AAF974
scan…0000107.zip / scan…0000107.exe | 1,825,280
| 0x2056D173DA48406D1ACD363CE2599457
Scani00128_signed.zip / Scani00128_signed.exe | 704,200
| 0xBC5D59F8E4147EA2EA5B0CF13D5A7358
Scan112343.zip / Scan.exe | 731,448 | 0x779C37B4E0D6F6973EE9B8CF06AB0ACC
Scan001_signed.zip / Scan001_signed.exe
| 687,816
| 0xDFC4507299CDE684F21279258685E7DE
scan0001.gz / scan0001.exe | 392,440
| 0x552897C1152E751626A57B5C615F33DB
Scan#777676765.zip / Scan#777676765.exe | 560,832
| 0x4B6B84C9A5AAE3B924E54C8F9F556509
SCANCOPY019PDF.zip / SCANCOPY019PDF.exe | 1,374,600 | 0xB80234C4BBD16DBB272E6C6032C7B8CB
Scan004_signed.zip / Scan004_signed.exe | 736,968
| 0xECC7B954CAC158CD4BD397D936995E9B
Scan 1 pdf.zip / Scan 1 pdf.exe | 509,440
| 0xF059675626807CF2A57BC66448EE7493
REV-INVOICE-52k_07pdf.gz / scan_016_07pdf.exe | 322,743
| 0xF321905652459145AB458EAD957CA6F3
Scan copy 347190-99.zip / c19245fee1fa995d4a6197024d4828a5768c3.exe
| 308,688
| 0xB12B9bD1E13A7AD108282181CBC46966
scan564653763 pdf.zip / scan564653763 pdf.exe | 2,138,624
| 0xD72C252F4DC7FC7FE1D31454F1E0AE53
scan_mv_skint_pdf.gz / scan_mv_skint_pdf.exe
| 153,040
| 0x1A434FD110CDCC7249437D36C1A510F6
scan_0743_pdf.gz/scan_0743_pdf.exe | 705,855
| 0x8AD16794C1B65AB99F057527959C2398
SCAN-9865-9865.zip / CLEM.exe | 1,447,936
| 0xA8BF0E64627DDFD43B086A74AB8FACA8
The following text is a sample of the email message that is associated with this threat outbreak:
> Subject:** Payment receipt**
Message Body:
Dear sir, Today we have able to remit the total amount of US$ 51,704.97 to your account.
Details of our payments are as follows: Cont. #41 SPV001/APR/13 US$34,299.13 - 11,748.82 (50% disc. For R008 & R016) = Cont. #42 EXSQI013/MAY/13 US$29,154.66 -------------------- Total Remittance: US$ 51,704.97 Attached is the TT copy, check with your bank and let us know when you will proceed with shipment. Thank you very much. **Best regards,
**
Or
> Subject:** 0002FIBCU1500235 PAYMENT RECEIPT**
Message Body:
Dear sir
FYI
Thnks
Account Dept.
Or
> Subject: Fwd: Your Shipment Update
Message Body:
Sir,
For your reference, please see enclose with your latest update on your incoming shipments:
Thank you,
Best regards,
Or
> Subject: New Order
Message Body:
**Hello sir,
See enclosed the new Order.
However sorry for the delay
Thanks and B.regards
Purchase Dept
**
Or
> > Subject: employment offer
Message Body:
Please find attached a scanned copy of my previous ID.
Thanks and best regards,
Or
> Subject:** Your Shipment Update**
Message Body:
Sir, For your reference, please see enclose with your latest update on your incoming shipments: Thank you, Best regards,
Or
> Subject: Autorisation
Message Body:
One or more attached file(s) have been dropped from this e-mail due to
security restrictions for potentially dangerous attachments.
It is not possible to retrieve the original attachment(s).
WHAT YOU CAN DO:
-If you need information regarding which file types are disallowed as mail attachments,
please contact IT Service Desk.
-To receive files that are not allowed via e-mail, you can use Saxo Bank’s file exchange solution.
To do so, please request access to “AdHoc File Exchange” in Omada and contact IT Service Desk for instructions.
Thank you for your understanding.
Best regards,
IT Security, Risk and Compliance (ITSRC)
Or
> Subject: **BANK DETAILS **
Message Body:
Hello,
We dont understand why you send new bank details
to our boss for your payment, please check again
as the payment has been remitted to the new bank
details but we still have doubt on the account.
please check the Attached swift copy if the
account is ok or do we stop the payment as we
have doubt on the bank details.
Or
> Subject: 0002FIBCU1500235 PAYMENT TT
Message Body:
**Dear sir,
Today we have able to remit the total amount of US$ 51,704.97 to your account.
Details of our payments are as follows:
Cont. #41 SPV001/APR/13 US$34,299.13 - 11,748.82 (50% disc. For R008 & R016) =
Cont. #42 EXSQI013/MAY/13 US$29,154.66
Total Remittance: US$ 51,704.97
Attached is the TT copy, check with your bank and let us know when you will proceed with shipment.
Thank you very much.
Best regards,
**
Or
>
Subject: **DHL Failed Delivery Notification **
Message Body:
Dear Customer,
We attempted to deliver your item at 8:10 AM on April 28th,2016.
(Read enclosed file details)
The delivery attempt failed because nobody was present at the
shipping address, so this notify has been automatically sent.
If the parcel is not scheduled for re-delivery or picked up
within 72 hours, it will be returned to the sender.
Label Number: DHL733918737AA
Expected Delivery Date April 28th , 2016
Class: Package Services
Service(s): Delivery Confirmation
Status: eNotification sent
Or
> Message Body:
Dear sir, Today we have able to remit the total amount
of US$ 51,704.97 to your account. Details of our payments are as follows: Cont. #41 SPV001/APR/13 US$34,299.13 - 11,748.82 (50% disc. For R008 & R016) = Cont. #42 EXSQI013/MAY/13 US$29,154.66 Total Remittance: US$ 51,704.97 Attached is the TT copy, check with your bank
and let us know when you will proceed with shipment. Thank you very much. Best regards,
Or
> Subject: FYI (Urgent)!
Message Body:
Kindly find attached FYI.
Pls check and get back to me urgently.
Thanks and best regards.
Or
> Subject: Balance Payment
Message Body:
Dear,
Find enclosed the attached T/T copy
for the balance payment refering to PO-NT5617.
My colleague is on a sick leave and
maybe out of office for a week or more.
We shall advise you with our pointed
forwarder tomorrow for the shipment to carry on asap.
thanks for your kind hearted as we are
sincerely sorry for the delay with the balance payment.
Best regards
Or
> Subject: Order
Message Body:
**Hello,
We have not gotten your response regarding our attached order, kindly
check and inform us reason for delay as we need the goods delivered not
later than July 2016.
your immediate response will be highly appreciated.
Please advise and kind regards,
**
Or
>
Subject: New Enquiry
Message Body:
**Dear Sir,
Please see attachment for your kind reference and confirm the current
price and availability with side with CAO
Your prompt response will be appreciated
Best Regards
**
Or
> Subject: **The Shipping Documents **
Message Body:
**Dear Sir,
Good day!
kindly find the new shipping documents by adding invoice No.
according to your instruction for your easy reference.
The original documents with chop and signature have been
couriered to you via SF.
Many thanks.
Best regards
**
Or
> Subject: Urgent Export Inquiry
Message Body:
Dear Sir
Please check the attached pictures and let me know if the following are possible to supply us.
Also Brand name will be ours. We will increase qty every quarter. COA required.
Packing has to be same as attached and we will provide brands and artworks.
Kindly give us your best price asap
Best Regards,
> Or
> Subject: Purchasing Order
Message Body:
Hello Dear,
I don’t know why you have refused to send us your detail feedback,
my colleaguesent you the file two times now and there is no response from you,
attached again is the new purchase details For your reference,
kindly get back to us with your company stamped,
We look forward to your response.
Regards,
Or
> Subject: Transfer Request Form
Message Body:
**
Sir
Kindly fill in your complete banking instruction in the attached
transfer request form in order to process the down payment.
Kind regards.**
Or
> Subject: Specifications and Schematic Diagram
Message Body:
**Dear Sir,
Please find attached specifications and schematic diagram for supply
give us your best quote with datasheet of proposed product.Kindly
send me formal quotation on your company letter head and please
also provide company and product approval certificate from DM or DCL.
Thanks,
**
Or
> Subject: Re: Quotation
Message Body:
Dear Sir
We could like to establish a long time business relationship with you if your price is competitive
Please check the attached and let us know if you can supply us as specified
kindly quote your best price asap
Your prompt response will be appreciated.
Thank you & Best Regards
Lobna Saad
deputy Manager,
Or
> Subject: FYI (Urgent)!
Message Body:
Kindly find the attached FYI.
Pls check and get back to me urgently.
Thanks and best regards
Or
> Subject: Bank details
Message Body:
Dear Sir, Kindly revise your attached outstanding invoice and
bank detail in regards to corrections made on the 15th. We will proceed with remittance once received. Your urgent response to this mail will be highly appreciated. Best Regards.
Or
> Subject: Request for Quote
Message Body:
The account manager is out of office on a business trip with
limited access to his email,please see the attached deposit slip as a proof of our payment. Kindly acknowledge upon receipt of this massage. Look forward to your urgent reply. Thanks & Regards, Sales Manager
Or
> Subject: Quote-$6000
Message Body:
Good Morning,
As per our Last conversataion see
attached, see Page 4 and 5.
Thanks
Or
> Subject: Request For Quotation
Message Body:
Dear Sir,
As advised, We just sent you our
Request for Quotation via ShipServ.
Attached please find additional data
for our first order, as announced in our inquiry.
Please quote soon.
Best regards,** **
Or
> Subject: **Awaiting your sales contract **
Message Body:
Dear Sir
Pls this is the second mail we are sending from our alternative mail yet
no response from your side since you sent us your quotation in April.
Based on our last inquiry we have confirmed our order as attached in this
mail. Kindly do the needful by preparing a sales contract asap for the attached
order because we will like to get the order before summer.
We hope to hear from you soon.
Regards.
Or
> Subject: **OVERDUE PAYMENTS/Swift **
Message Body:
Please be informed that we have already taken the payment in
process, may be by end of this week. Attached is the scanned
payment swift copy, let us know when you receive the payment.
kind regards
Cisco security appliances can help protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. Cisco Web Security Appliances help secure and control web and email traffic by offering layers of malware protection. Cisco security appliances are automatically updated to help prevent both spam email and hostile web URLs from being passed to the end user.
Related Links
Cisco Security
Cisco SenderBase Security Network
Revision History
| * Version | Description | Section | Date |
|---|---|---|---|
| 23 | Updated to report significant activity detected by Cisco Security on August 31, 2016 | — | 2016-September-01 |
| 22 | Updated to report significant activity detected by Cisco Security on August 22, 2016 | — | 2016-August-23 |
| 21 | Cisco Security has detected significant activity on July 24, 2016. | 2016-August-01 13:14 GMT | |
| 20 | Cisco Security has detected significant activity on July 24, 2016. | 2016-July-25 14:14 GMT | |
| 19 | Cisco Security has detected significant activity on July 21, 2016. | 2016-July-21 16:54 GMT | |
| 18 | Cisco Security has detected significant activity on July 1, 2016. | 2016-July-05 12:09 GMT | |
| 17 | Cisco Security has detected significant activity on June 30, 2016. | 2016-June-30 13:11 GMT | |
| 16 | Cisco Security has detected significant activity on June 11, 2016. | 2016-June-13 12:19 GMT | |
| 15 | Cisco Security has detected significant activity on May 31, 2016. | 2016-June-02 11:59 GMT | |
| 14 | Cisco Security has detected significant activity on May 26, 2016. | 2016-May-27 13:13 GMT | |
| 13 | Cisco Security has detected significant activity on May 25, 2016. | 2016-May-25 21:25 GMT | |
| 12 | Cisco Security has detected significant activity on May 16, 2016. | 2016-May-17 12:43 GMT | |
| 11 | Cisco Security has detected significant activity on May 6, 2016. | 2016-May-09 12:34 GMT | |
| 10 | Cisco Security has detected significant activity on May 5, 2016. | 2016-May-05 19:45 GMT | |
| 9 | Cisco Security has detected significant activity on May 5, 2016. | 2016-May-05 16:18 GMT | |
| 8 | Cisco Security has detected significant activity on May 4, 2016. | 2016-May-04 20:23 GMT | |
| 7 | Cisco Security has detected significant activity on April 29, 2016. | 2016-May-02 12:29 GMT | |
| 6 | Cisco Security has detected significant activity on April 22, 2016. | 2016-April-28 12:21 GMT | |
| 5 | Cisco Security has detected significant activity on April 22, 2016. | 2016-April-25 12:05 GMT | |
| 4 | Cisco Security has detected significant activity on April 22, 2016. | 2016-April-22 18:55 GMT | |
| 3 | Cisco Security has detected significant activity on April 15, 2016. | 2016-April-21 12:58 GMT | |
| 2 | Cisco Security has detected significant activity on April 15, 2016. | 2016-April-15 19:11 GMT | |
| 1 | Cisco Security has detected significant activity on April 8, 2016. | 2016-April-08 18:54 GMT | |
| Show Less |
Legal Disclaimer
- THIS DOCUMENT IS PROVIDED ON AN “AS IS” BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products