Another batch of virus e-mails “Invoice #879384”

Another day another attempt at sending through zipped attachments…

From: Truman Koch <>
Subject: Invoice #879384
Attachment: Invoice

Please find Invoice #879384 attached

Please note that our payment terms are #25 days.

Best regards,

Truman Koch

The invoice number and the number of days seems to change in each email.

Also seen were these sender names:

Aldo Mcdonald <>
Mohammed Sheppard <>
Craig Mathis <>

Inside the ZIP is a file “Invoice #879384.js”. Different e-mails contained slightly different file content. Here are the ones I’ve seen so far:

SHA256 75b2fa43296c80b222dedb9355e392bf88289445608bbc95c44f00309dab792b
SHA256 3727653a25a8fb3e550fa9a859818da8cba68c2475b7c4f91cb620c481582d57
SHA256 668ecb645e3e884e3bdca8457251d39666ac16e3e8e68eaa4c05507e4c38f41d
SHA256 271d5b9a1ec0ead7d78b02bc36df2c6db5b8484c4a3ee3f6935136ab961d0ebb

When run requests are sent to:

And then Cryptowalls your files (Encrypts and ransoms)

The domain uses nameservers seen in this scam within the past week.

The domain points to the following IP addresses:


This entry was posted in Uncategorized. Bookmark the permalink.

1 Response to Another batch of virus e-mails “Invoice #879384”

  1. Pingback: “Please find attached copy of the passport for my wife and daughter as requested” zip attachment virus mail | thecomputerperson

Comment on this topic

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s