From: Valarie Davenport
Date: 2 December 2015 at 11:59
Subject: November Invoice #60132748
Hello ,
Please review the attached copy of your Electronic document.
A paper copy of this document is being mailed, but this email is being sent in addition for your convenience.
Thank you for your business.
Attached is a file invoice_60132748.zip which contains a malicious obfuscated script INVOICE_main_BD3847636213.js [Pastebin obfuscated / deobfuscated] and this downloads a malicious file from:
74.117.183.84/76.exe?1
It also tries to contact 5.39.222.193, but this times out. An attempt to download from bestsurfinglessons.com comes up with a 404 error.
The Malwr report and Hybrid Analysis indicates that this communicates with the following compromised domains:
ccfinance.it
ecaequeeessa.com
schonemaas.nl
cic-la-banque.org
Both those reports indicate that this is the Teslacrypt ransomware.
Furthermore, the Hybrid Analysis report also shows other traffic to:
tsbfdsv.extr6mchf.com
alcov44uvcwkrend.onion.to
rbtc23drs.7hdg13udd.com
MD5s:
72c15108b68a0f07fdc4d17bd58aa368
0352acd36fedd29e12aceb0068c66b49
f16692fc9170ff68321a5d060b93e2e7
Recommended blocklist:
74.117.183.84
5.39.222.193
ccfinance.it
ecaequeeessa.com
schonemaas.nl
cic-la-banque.org
extr6mchf.com
alcov44uvcwkrend.onion.to
7hdg13udd.com
No comments:
Post a Comment