Sponsored by..

Thursday 21 January 2016

Malware spam: "invoices@ebillinvoice.com" / "201552 ebill"

This fake financial email comes with a malicious attachment.

From     invoices@ebillinvoice.com
Date     Thu, 21 Jan 2016 15:13:36 +0530
Subject     201552 ebill

Customer No         : 8652
Email address       : [redacted]
Attached file name  : 8652_201552.DOC


Dear customer

Please find attached your invoice for 201552.

To manage your account online - please visit Velocity.
https://www.velocitycardmanagement.com

Alternatively please contact us on:
  invoices@ebillinvoice.com


Yours sincerely



Louisa Brown
DCI

Ground Floor, Unit 2,
Galway Technology Park,
Parkmore, Galway, H91KFD3
Company Reg No : 233354

======================================================
This email, its content and any files transmitted with
it are confidential and intended solely for the use of
the individual(s) to whom it is addressed.
If you are not the intended recipient, be advised that
you have received this email in error and that any use,
dissemination, forwarding, printing or copying of
this email is strictly prohibited.
======================================================

There are at least three different versions of the attachment 8652_201552.doc (VirusTotal results [1] [2] [3])
for which the Malwr reports [4] [5] [6] indicate downloads from the following locations:

phaleshop.com/8h75f56f/34qwj9kk.exe
bolmgren.com/8h75f56f/34qwj9kk.exe
return-gaming.de/8h75f56f/34qwj9kk.exe

montaj-klimat.ru/8h75f56f/34qwj9kk.exe [spotted here]


This binary has an MD5 of f23c05c44949c6c8b05ab54fbd9cee40 and a detection rate of 2/54. Those reports indicate that it phones home to.

216.224.175.92 (SoftCom America Inc., US)

A contact (thank you) also pointed out some other locations the malware phones home to

216.59.16.175 (Immedion LLC, US / Virtuaserver Informica Ltda, Brazil)
216.117.130.191 (Advanced Internet Technologies Inc., US)
202.69.40.173 (Gerrys Information Technology (pvt) Ltd, Pakistan)


The payload is the Dridex banking trojan, being sent by botnet 220.

Recommended blocklist:
216.224.175.92
216.59.16.175
216.117.130.191
202.69.40.173

No comments: