Sponsored by..

Wednesday, 9 March 2016

Malware spam: "DOC-Z21193008" / Idris Mohammed [idrismohammed25@gmail.com]

This terse spam has a malicious attachment. There is no body text.
From:    Idris Mohammed [idrismohammed25@gmail.com]
Date:    9 March 2016 at 09:55
Subject:    DOC-Z21193008
Attached is a file img-DOC-Z21193008.docm which I have seen two versions of (VirusTotal results [1] [2]). Automated analysis [3] [4] [5] [6] shows the macro in these two documents downloading from:
 
gpcarshop.com.br/system/logs/07yhnt7r64.exe
karnavalnye.com/system/logs/07yhnt7r64.exe


There are no doubt several other download locations. This binary has a detection rate of 3/56. The various reports indicate that it phones home to a server at:

64.76.19.251 (Impsat, Argentina)

I strongly recommend that you block traffic to that IP. Payload is likely to be the Dridex banking trojan.

UPDATE

A contact sent some more download locations (thank you!)

oceanglass.com.my/system/logs/07yhnt7r64.exe
variant13.ru/system/logs/07yhnt7r64.exe
e-kalogritsas.gr/system/logs/07yhnt7r64.exe
notasvet.ru/system/logs/07yhnt7r64.exe
racingtrack.ru/system/logs/07yhnt7r64.exe


..and also some additional C2s..

188.40.224.78 (NoTag Community / Hetzner, Germany)
87.106.8.177 (1&1, Germany)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)


Recommended blocklist:
64.76.19.251
188.40.224.78
87.106.8.177
91.236.4.234




2 comments:

Minkyu Kim said...

also bad
zapdental.com.br 108.167.188.253

Minkyu Kim said...

another
notasvet.ru 109.234.32.114