Sponsored by..

Wednesday 20 April 2016

Malware spam: "Accounts at Beerhouse Self Drive [accounts3965@beerhouse.co.uk]" / "Document No™2958719"

This fake financial spam does not come from Beerhouse Self Drive but is instead a simple forgery with a malicious attachment:

From:    Accounts at Beerhouse Self Drive [accounts3965@beerhouse.co.uk]
Date:    20 April 2016 at 11:01
Subject:    Document No™2958719

Thanks for using electronic billing

Please find your document attached

Regards


Beerhouse Self Drive
In the only sample I have seen so far, there is an attachment Document No 992958719.doc which has a VirusTotal detection rate of 7/56. The Malwr report for that document shows that it downloads a binary from:

bi.pushthetraffic.com/87ty8hbvcr44

There are probably many other download locations. This dropped file has a detection rate of 6/56. The DeepViz report and Hybrid Analysis between then identify what is likely to be Dridex, phoning home to the following servers:

193.90.12.221 (MultiNet AS, Norway)
212.126.59.41 (Letshost / Digiweb, Ireland)
93.104.211.103 (Contabo GmbH, Germany)
155.133.82.82 (FUFO Studio Agata Grabowska, Poland)
212.50.14.39 (Computers Equipnemt, Bulgaria)
91.194.251.204 (TOV Dream Line Holding, Ukraine)
194.116.73.71 (Topix, Italy)
64.76.19.251 (Impsat, Argentina)


Recommended blocklist:
193.90.12.221
212.126.59.41
93.104.211.103
155.133.82.82
212.50.14.39
91.194.251.204
194.116.73.71
64.76.19.251



No comments: