Sponsored by..

Monday 9 June 2014

"inovice 2110254 June" spam

This terse but badly-spelled spam has a malicious attachment:

Date:      Mon, 09 Jun 2014 18:03:10 +0530 [08:33:10 EDT]
From:      Ladonna Gray [wtgipagw@airtelbroadband.in]
Subject:      inovice 2110254 June

This email contains an invoice file attachment 
Attached is an archive file invoice_2110254.zip which in turn contains the malicious executable invoice_98372342598730_pdf.exe which has a VirusTotal detection rate of 4/52. Automated analysis tools are not able to determine exactly what the malware does.

UPDATE 1: A Malwr analysis of the malware can be found here. It makes the following HTTP connections:
[donotclick]62.76.189.58:8080/dron/ge.php
[donotclick]62.76.41.73:8080/tst/b_cr.exe


It also drops a file KB05152056.exe which has a VirusTotal detection rate of 5/51. Analysis is pending.

UPDATE 2: the Malwr analysis of the second binary is here. This makes a connection to 62.76.185.30.

All the IP addresses listed belong to Clodo-Cloud in Russia:
62.76.41.73
62.76.185.30
62.76.189.58


Although there are probably some legitimate sites in these ranges, you might want to consider blocking the following if you feel like it:
62.76.40.0/21
62.76.184.0/21




No comments: