Sponsored by..

Wednesday 2 December 2015

Malware spam: "November Invoice #60132748" leads to Teslacrypt

This fake financial spam comes with a malicious attachment.


From:    Valarie Davenport
Date:    2 December 2015 at 11:59
Subject:    November Invoice #60132748


Hello ,

Please review the attached copy of your Electronic document.

A paper copy of this document is being mailed, but this email is being sent in addition for your convenience.

Thank you for your business.

Attached is a file invoice_60132748.zip which contains a malicious obfuscated script INVOICE_main_BD3847636213.js [Pastebin obfuscated / deobfuscated] and this downloads a malicious file from:

74.117.183.84/76.exe?1

It also tries to contact 5.39.222.193, but this times out. An attempt to download from bestsurfinglessons.com comes up with a 404 error.

The Malwr report and Hybrid Analysis indicates that this communicates with the following compromised domains:

ccfinance.it
ecaequeeessa.com
schonemaas.nl
cic-la-banque.org


Both those reports indicate that this is the Teslacrypt ransomware.


Furthermore, the Hybrid Analysis report also shows other traffic to:

tsbfdsv.extr6mchf.com
alcov44uvcwkrend.onion.to
rbtc23drs.7hdg13udd.com


MD5s:
72c15108b68a0f07fdc4d17bd58aa368
0352acd36fedd29e12aceb0068c66b49
f16692fc9170ff68321a5d060b93e2e7


Recommended blocklist:
74.117.183.84
5.39.222.193
ccfinance.it
ecaequeeessa.com
schonemaas.nl
cic-la-banque.org
extr6mchf.com
alcov44uvcwkrend.onion.to
7hdg13udd.com

No comments: