No malware found directly via the email, but clear associations with malicious malware campaigns.


The email received (multiple times the week of July 17th) purported to be from an individual (always different female names) who had sent me the amount of $3,543.00 via Paypal. The email requests that I log in and withdraw it immediately. I expected the link to be a Paypal phishing site.

However the link was to a domain www[dot]thecoach2017[dot]com. The page consisted of a video ad for a "21 step millionaire mentorship" program. At the end of the advertisement, a link was presented to me to sign up for one of the "100 remaining" slots. Better act fast..

The video was the singular upload on a Vimeo account using the name Michael Jones and is most likely a complete dead end:

The link was to a site called MTTB. The site is eager to take your PII and CC details to start the 21 step program. The purpose of the spam campaign is apparent with the affiliate link in the address bar.

The terms and conditions for the site (headquartered in Malaysia) and the program are exactly what you would expect from a site like this; bluntly absolving every entity from any liability. The terms of service can be read in full here: mttbsystem[dot]com/terms-conditions <- risky click of the day. A quick google search of MTTB, the "Millionaire Mentor Program" or an affiliated entity, MOBE, return a plethora of scam warnings and complaints. MOBE is founded by a man named Matt Lloyd.

The Actor

The original site linked in the email has (potentially) identifiable WHOIS data, registered to a Ren Jia Peng in ShenZhen, China.

A VirusTotal scan of the site returns a single positive for Phishing. A reverse WHOIS on Ren Jia Peng returned a variety of domains that could be associated with email spam, such as bestrxsales[dot]in. Four obscure domains of particular interest were found:

As expected, these domains returned more interesting results on VirusTotal. The domains were all associated at one time with the IP that had a variety of malicious detections and a generic trojan:

That report can be viewed here.

Most significantly, a high number of malicious software samples reported back to that IP address but only as recently as September of 2016. The majority of the samples (see the VT report above) are variations of RATs and droppers. The IP address belongs to Sharktech, a VPS company headquartered in Las Vegas, NV, USA.


Not much to say about this email; unfortunately no direct link to a new malware sample to investigate. However, as is typical of spam, the source is closely associated with a variety of unscrupulous vendors and malicious software activity.

Get honeypotted? I like spam. Contact Us Contact Us Email Email email: