The Latest in IT Security

Wells Fargo spam / Important WellsFargo Doc.exe / Important WellsFargo Docs.exe


This fake Wells Fargo spam run comes with one of two malicious attachments:

Date:      Mon, 10 Jun 2013 13:00:13 -0500 [14:00:13 EDT]
From:           [email protected]
Subject:      IMPORTANT – WellsFargo

Please check attached documents.

Wells Fargo Advisors
817-563-9816 office
817-368-5471 cell [email protected]


To unsubscribe from marketing e-mails from:
.         An individual Wells Fargo Advisors financial advisor: Reply to one of his/her
e-mails and type “Unsubscribe” in the subject line.
.         Wells Fargo and its affiliates: Unsubscribe at Neither of these actions will affect delivery of
important service messages regarding your accounts that we may need to send you or
preferences you may have previously set for other e-mail services.

For additional information regarding our electronic communication policies, visit .

Investments in securities and insurance products are:

Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you.
There is a ZIP file attached to the email message, and the spammers have attempted to name the attachment after the recipient.. but because the spam has multiple recipients it may end up with a random name. Inside the ZIP file is an EXE file, and there appear to be two variants.

One is called Important WellsFargo Doc.exe and it has a pretty shocking VirusTotal detection rate of 0/47 (yup.. none at all). The Comodo CAMAS report gives the following checksums..

Name Value
Size 94720
MD5 70e604777a66980bcc751dcb00eafee5
SHA1 52ef61b6296f21a3e14ae35320654ffe3f4e769d
SHA256 f669768216872c626abc46e4dd2e0b1d783ba5927166282922c16d6db3b8adae identifies that this version of the malware attempts to download additional components from on (specifically it is a pony downloader querying /ponyb/gate.php). More of this later. ThreatTrack has a more detailed report which also identifies callbacks to and ThreatExpert has a slightly different report and further identifies,, and (Linode, US).

The second version has a similarly named files called Important WellsFargo Docs.exe (plural) with a higher VirusTotal detection rate of 11/46. Comodo CAMAS reports the following file characteristics..

Name Value
Size 114176
MD5 47e739106c24fbf52ed3b8fd01dc3668
SHA1 b85b4295d23c912f9446a81fd605576803a29e53
SHA256 2d0d16d29ceca912d529533aa850f1e1539f4b509ea7cb89b8839f672afb418b this case the pony download contacts (also on Other analyses are pending.

Several of these malware domains are hosted on (Linode, US) and we can assume that this server is compromised along with all the domains on it. (Aruba, Italy) also seems to be compromised. (Unified Layer, US) and (, US) appear to be compromised in some way to. Of note is the fact that almost all of these domains appear to be legitimate but have been hacked in some way, I would expect them to be cleaned up at some point in the future.

Putting all these IPs and domains together gives a recommended blocklist:

Leave a reply


MONDAY, JUNE 17, 2024

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments