Thursday, 10 March 2016
Malware spam: "GreenLand Consulting – Unpaid Issue No. 58833"
From: Jennie bowles
Date: 10 March 2016 at 12:27
Subject: GreenLand Consulting – Unpaid Issue No. 58833
For the third time we are reminding you about your unpaid debt.
You used to ask for our advisory services in July 2015, the receipt issued to you was recognized in our database with No. 58833. But it has never been paid off.
We enclose the detailed bill for your recollection and sincerely hope that you will act nobly and responsibly.
Otherwise we will have to start a legal action against you.
707 Monroe St
Details on the individual emails vary. Attached is a ZIP file which contains one of a variety of malicious scripts (sample VirusTotal results    ). According to these Malwr reports    these scripts attempt to download a malicious binary from the following locations:
These sites are hosted on:
126.96.36.199 (Province of British Columbia, Canada)
188.8.131.52 (Netmarlis Hosting, Turkey)
184.108.40.206 (Sadecehosting, Turkey)
220.127.116.11 (WZ Communications, US)
18.104.22.168 (Martin Andrino Ltd, Netherlands)
This Malwr report and this Hybrid Analysis shows communications with:
22.214.171.124 (PE Astakhov Pavel Viktorovich, Ukraine)
126.96.36.199 (EDIS, Italy)
188.8.131.52 (EDIS, Netherlands)
184.108.40.206 (EDIS, Spain)
220.127.116.11 (PS Internet Company LLC, Kazakhstan)
18.104.22.168 (Leaseweb, Germany)
The two executables seem different (VirusTotal results  ). It looks like it might be dropping both ransomware (Teslacrypt perhaps) and Dridex (banking trojan) alternately.
These domains are also associated with some of the IPs. Consider them all to be evil: