Another bit of junk today, this time helpful they also included (CC) all the people in the organisation that the message was sent to so I could warn them.
Please find the attached copy invoice which is showing as unpaid on our ledger.
To download your invoice please click here <https://www.hightail.com/download/e?phi_action=app/directDownload&fl=SWhZekZucVhVbTlFQmUxbENtOXhkak9yZWt5UmdteDRsUjJuWENHRzVZbz0>
I would be grateful if you could look into this matter and advise on an expected payment date .
Tel: 0845 300 2952
Needless to say it didn’t come from ulsterbank.ie..
Received: from mail.meiko-eisengiesserei.de (mail.meiko-eisengiesserei.de [184.108.40.206]) by media.myclient.com with ESMTP ; Thu, 2 Apr 2015 11:47:41 +0100 Received: from [220.127.116.11] (helo=vyyiyjqbkpgue.dvrke.com) by mail.meiko-eisengiesserei.de with esmtpa (Exim 4.69) (envelope-from ) id 1MMHLU-6787pc-5S for firstname.lastname@example.org; Thu, 2 Apr 2015 11:48:10 +0100 Date: Thu, 2 Apr 2015 11:48:10 +0100 From: "email@example.com" <firstname.lastname@example.org> X-Mailer: The Bat! (v3.71.04) Professional X-Priority: 3 (Normal) Message-ID: <9309792200.R5X6472C560759@ufmsdfecd.mevlnsekx.biz> To: <email@example.com>, <firstname.lastname@example.org>, <email@example.com>, <firstname.lastname@example.org>, <email@example.com>, <firstname.lastname@example.org>, <email@example.com>, <firstname.lastname@example.org>, <email@example.com> Subject: Outstanding invoice MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Return-Path: Bankline.Administrator@mail.meiko-eisengiesserei.de
Upon execution it connects to checkip.dyndns.org to get your IP, then contacted a server in Ukraine:
Then downloaded a payload from:
It then starts SSL communication with 18.104.22.168 (an IP in Russia) with an SSL certificate of CN=oHbECjOD3mWybdlZ55TWBABk and a generation date of 26th March 2015.
Also the following IPs were seen:
22.214.171.124 HTTPS an IP in Russia
Common Name of oHbECjOD3mWybdlZ55TWBABk Certificate generation date of 26th March 2015.
126.96.36.199 HTTPS an IP in Ukraine
Common Name of GHsaixn60AdNExbRZPddpOKo Certificate generation date of 2nd April 2015.
Unlike previous versions of this junk, it no longer seems to use a windows HTTP / HTTPS component so my SSL interception software does not work and I can not see the data it is exchanging.