Sponsored by..

Wednesday, 10 February 2016

Malware spam: Emailing: MX62EDO 10.02.2016 / documents@dmb-ltd.co.uk

This spam has a malicious attachment:

From     documents@dmb-ltd.co.uk
Date     Wed, 10 Feb 2016 11:12:41 +0200
Subject     Emailing: MX62EDO 10.02.2016

Your message is ready to be sent with the following file or link


Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments.  Check your e-mail
security settings to determine how attachments are handled.
Attached is a malicious document named MX62EDO 10.02.2016.doc. I haven't had time to analyse these myself, but a trusted source (thank you) says that there are three different variants of documents, downloading a malicious executable from the following locations:


This drops an executable with a VirusTotal detection rate of 6/55.  This malware calls back to the following IPs: (ZNET Telekom Zrt, Hungary) (Rackspace, US) (Hetzner, Germany)

The payload is the Dridex banking trojan. Some chatter I have seen indicates that this has been hardened against analysis.

Recommended blocklist:

1 comment:

Cliff Prince said...

Got one myself, today, in (March 2) my in-box. ... sender is "documents@[mydomain].com", but there's no such email address at that domain (and I should know, since I own and run it!). Topic is "Emailing: MX62EDO 01.03.2016." Attachment is "MX62EDO201603015669.zip". Didn't un-zip it (duh). Text says "scanned by Avast" but I don't use Avast. MBAM Anti-Malware Bytes and Windows Defender, do NOT find this item to be problematic. Hope they update their definitions soon.