Author |
Message |
LeeScambait
Hello I'm New here!
Joined: 28 Nov 2019
Posts: 19
Location: The Netherlands
|
Posted:
Mon Mar 23, 2020 7:57 am |
|
Hello 419 Eater!
On the 20th of March I received a strange email pretending to be from a hospital,It asked the recipients to open the attached file because supposedly it was a purchase order.
One thing I noticed was the weird .rar ending.
Just to be safe I downloaded and opened the file in a Windows 7 Virtual Machine and ran it thru Virus Total.
My suspicion was correct, it was a Trojan.
Fast Forward to today and I received an email again from the same name and same spoofed email with another 1 MB .rar file.
It seems like the guy send the same virus again because he thinks that it failed last time.
This time I finally figured out how to open the Task Manager and it was not surprising to find that the file was running in the background.
I don't know how to post pictures on here so I posted all of them on postimage
https://postimg.cc/gallery/3e0aiq9r0/
If anyone wants to analyse the file he send me, send me a message.
Also I am sorry if this is posted in the wrong place. |
_________________
"You are idiot you are fool infact you are nicompoo"
"Ask your mother fu**** a** and ask your dad to open his a** and stick a wood on it your will get a loan from your mama a**"
"LOOK WE HAVE WARNED YOU MANY TIME THIS IS NOT A PLAY GROUNG OR A GAME
PLACE BE WAREND FOR THE LAST TIME"
"Juju Monkey" |
|
|
|
bikeatl77
** WARNED **
Joined: 17 Nov 2018
Posts: 1012
Location: Emptying one of my dehumidifiers...somewhere
|
Posted:
Mon Mar 23, 2020 9:01 am |
|
Eater doesn't deal with this type of thing but I'm glad you used a VM to open the file. RAR is similar to a zip file. Multiple files are packaged in a RAR that extract when you open it. They probably put the RAR into a zip file to help it bypass your mail provider's filters. I'd mark the email as spam to help your mail provider block subsequent resends and move on with life. There's not much more you can do than that. Definitely destroy that VM instance though...there's no telling what lurks in it now. |
|
|
|
|
LeeScambait
Hello I'm New here!
Joined: 28 Nov 2019
Posts: 19
Location: The Netherlands
|
Posted:
Mon Mar 23, 2020 9:18 am |
|
Thanks for letting me know!
I reported it to Protonmail and I always destroy VMs after downloading these things. |
_________________
"You are idiot you are fool infact you are nicompoo"
"Ask your mother fu**** a** and ask your dad to open his a** and stick a wood on it your will get a loan from your mama a**"
"LOOK WE HAVE WARNED YOU MANY TIME THIS IS NOT A PLAY GROUNG OR A GAME
PLACE BE WAREND FOR THE LAST TIME"
"Juju Monkey" |
|
|
|
bware419ers
419Eater Admin
Joined: 25 Jun 2012
Posts: 21302
Location: Searching for the Platinum Piggie
|
Posted:
Mon Mar 23, 2020 12:40 pm |
|
Moved here.
As mentioned, this isn't Advance Fee Fraud or what we deal with, however...
We probably don't emphasize it enough, but, for safety's sake, you should never open any file a lad sends. If it claims to be a word processing document (WORD or PDF), tell the lad your computer says it's corrupted. Same with an Excel file. If you see an extension you don't recognize, certainly do not open it.
While most low-level AFF lads aren't adept at malicious files or links, many "seasoned" and successful lads diversify and take every advantage they can. |
_________________ | SCAMWARNERS | PREMIUM | REQUIRED READING | REPORT BANK ACCOUNTS | FOLLOW 419EATER ON TWITTER
X 7035
X 17
"FFS." - Capone
- Toomuchfun
- Irishemigrant
"I started to read it but got bored after the first couple of sentences." - SOOI
"Remind me not to get on your bad side." - jose_cuervo |
|
|
|
B8er
Associate Boomdazzler
Joined: 16 Feb 2009
Posts: 13625
Location: In self-isolation practicing social distancing
|
Posted:
Mon Mar 23, 2020 12:55 pm |
|
Even low-level lads are a big risk of passing on viruses. Some people will think sending a virus to a scammer is a good idea, lads pass around files between them and many will still work in Internet cafes so there's a very good chance that even the most technically inept scammer may unknowingly send you a virus.
If you really must know what's in a Word/Excel/PDF document or image and you're on Gmail then you can view it from within Gmail itself (assuming you are using the webmail and not a mail client). And other mail providers probably do similar. |
_________________ "I DENOUNCE THE MUFFIN MEN" - Ma Kim
"YOU ARE WALKING DEAD MAN. YOUR WOODEN COFFIN IS READY TO SWALLOW YOU AND YOUR DIRTY GENERATION"
"all chaps are ass-less by design otherwise they just be leather pants" - jose_cuervo
x 5
x 335 🚽
x 4 x 1746 x 1904 - Fake cheques: $4,392,620.83
Team Woody - Ghana to Singapore - 11535km |
|
|
|
Connie L. Gus
Moderator
Joined: 07 Oct 2005
Posts: 7243
Location: Somewhere over the rainbow
|
Posted:
Mon Mar 23, 2020 4:38 pm |
|
I suggest to always ask that any Word or Excel file be converted into a PDF and any PDF you receive from a lad be converted into a DOCX. Don't bother looking at them, tell the lad that he then needs to move the information into the body of the email text. They will and end up giving you even more attention. |
_________________ x8
LISTEN TO ME WHAT DO YOU TAKE ME FOR ONE OF THOSE CHEAP CROOK OR WHAT -tobi donito
-a few,
LISTEN I CAN NOT TAKE YOUR SHIT ANY LONGER WE HAVE WHROTE A PETITION AGAINST YOU TO THE FBI WITH ALL OUR EVIDENCE YOU ARE INTO PROSTITUTION,DRUG DEALING, FORGERY, CREDIT CARDS FORGRY WESTEN UNION FALSIFICATION,DRUGING MEN,COMMETING MURDER, STEALING, DRUNCARD, ALL THIS WE HAVE THE EVIDENCE TO PROOF OUR CASE AGAINST YOU.-Johnson Hill
I am not finding it any funny...Henry A., Lagos, Nigeria to Cotonou, Benin, WIMPed
I am stranderd. Henry A. Lagos to Accra, WIMPed for 67 days.
* Help Keep Eater Running - Click here to donate |
|
|
|
LeeScambait
Hello I'm New here!
Joined: 28 Nov 2019
Posts: 19
Location: The Netherlands
|
Posted:
Tue Mar 24, 2020 2:28 am |
|
Yes B8er, As far as I know GMX and Gmail give you the Ability to preview a file instead of opening or downloading it. |
_________________
"You are idiot you are fool infact you are nicompoo"
"Ask your mother fu**** a** and ask your dad to open his a** and stick a wood on it your will get a loan from your mama a**"
"LOOK WE HAVE WARNED YOU MANY TIME THIS IS NOT A PLAY GROUNG OR A GAME
PLACE BE WAREND FOR THE LAST TIME"
"Juju Monkey" |
|
|
|
|