From "Sharon Samuels" [sharons463@brunel-promotions.co.uk]Various details in the message change, such as the invoice number. I have seen two attachments with detection rates of 4/55 [1] [2] which according to Malwr [3] [4] download a malicious binary from the following locations:
Date Wed, 16 Dec 2015 14:46:12 +0300
Subject Invoice No. 22696240
Good morning
Please find attached your latest invoice, for your attention.
Please be advised that your goods have been despatched for delivery.
Regards
Sharon
--------------------------------------------
Calendars and Diaries of Bristol Limited
Hope Road
Bedminster
BRISTOL
Bristol
BS3 3NZ
United Kingdom
Tel:01179636161
Fax:01179664235
winnig.privat.t-online.de/98g654d/4567gh98.exe
printempsroumain.org/98g654d/4567gh98.exe
This executable has a detection rate of 3/52 and these automated analyses [1] [2] [3] [4] indicate network traffic to:
199.7.136.84 (Megawire, Canada)
202.69.40.173 (Gerrys Information Technology (PVT) Ltd, Pakistan)
221.132.35.56 (Ho Chi Minh City Post and Telecom Company, Vietnam)
The payload is the Dridex banking trojan, probably.
MD5s:
d73d599ef434d7edad4697543a3e8a2b
7bcf4a947a74866debbcdeae068541fe
1cf8d5ab33c7e9e603d87d482c1c865d
Recommended blocklist:
199.7.136.84
202.69.40.173
221.132.35.56
No comments:
Post a Comment