From: Darius GreenI have personally only seen two samples so far with detection rates of 2/55   . These two Malwr reports   plus some private sources indicate that the attachments download from the following locations:
Date: 12 January 2016 at 09:33
Subject: Lattitude Global Volunteering - Invoice - 3FAAB65
Please find attached a copy of your final invoice for your placement in Canada.
This invoice needs to be paid by the 18th January 2016.
Due to recent increases on credit card charges, we prefer that you make a payment for your invoice on a bank transfer our bank details are.
You must provie your invoice number or account reference when you make the payment in order for us to allocate the payment to your account.
Account Name: Lattitude Global Volunteering
Bank: Barclays Bank
Sort Code: 20-71-03
Account No. 20047376
Lattitude Global Volunteering
T: +44 (0) 118 956 2903
Visit us on Facebook
Follow us on Twitter
Lattitude Global Volunteering is a UK registered international youth development charity (No. 272761), a company limited by guarantee (No. 01289296) and a member of BOND (British Overseas NGOs for Development).
This is characteristic of spam sent by the Dridex 120 botnet. All the IPs can be considered to be malicious and should be blocked.
220.127.116.11 (PE Skurykhin Mukola Volodumurovuch, Ukraine)
18.104.22.168 (Sembol Internet Hizmetleri ve Dis Ticaret Ltd, Turkey)
22.214.171.124 (ITL Company, Ukraine)
126.96.36.199 (Fortunix Networks, Netherlands)
A file kfc.exe is dropped onto the target system which has a detection rate of 6/52 and an MD5 of 8cfaf90bf572e528c2759f93c89b6986. Those previous Malwr reports indicate that it phones home to a familiar IP of:
188.8.131.52 (Hetzner, Germany)