rt,这邮件主题是Compromised Email - SERVER TERMINATION
看起来应该是员工都在远程办公,其中一个员工电脑被黑了,然后对外发送包含带毒附件的邮件?
Dear Psychz User,
It has come to our attention one of our employee's machine was compromised. Unfortunately this is one of the challenges when employees work remote during the pandemic. Policies were not follow and those are being re-visited while we continue our investigation.
We're reaching out to ensure you did not open the previous email's attachment. If it was opened please scan as well as see if there are processes that are unknown running within your windows task. So far we can see the exe file makes a request to a server in Bulgaria with IP -> 5.181.80.177 this is another method to see if you can see if you were compromised.
To know more about the file being sent to you this is what was posted - https://www.hybrid-analysis.com/sample/16b1d0cbb8eb4804ccedaed0abd454606f0d237abe3d4f8ac212ff3a027270c7/60b4e347e6e900384249f21c
In terms of the extent of the damage your billing information is safe such as your credit card, PayPal, or ach info are safe. There is no evidence of the billing being viewed or being downloaded.
Server credentials we should not have that information. Every single server provisioned are required to changed their password upon delivery of services. Thus we do not know or should have your password to your servers.
We apologize for this nuisance. Should you have any question or concerns please reach out.