From: adminservices@grouphomesafe.com
Date: 21 April 2016 at 10:33
Subject: "BalanceUK_INVOICE_X002380_1127878"
Thank you for placing your order with BalanceUK Ltd
Please find attached your document.
BalanceUK Limited,
30-32 Martock Business Park,
Great Western Road,
Martock,
Somerset,
TA12 6HB
Email: Balanceuk.orders@erahomesecurity.com
Tel: 01935 826 960
Fax: 01935 829 215
*** Please do not reply to this email address ***
Attached is a ZIP file with a name that matches the reference in the subject field (e.g. BalanceUK_X271897_1127878.zip). Although I have seen a few samples with different names, they are all the same attachment. Inside that ZIP file is another ZIP file named 4812610-20.04.2016.zip and in there is a malicious script named 4812610-20.04.2016.js with a VirusTotal detection rate of 6/56.
This malicious script [pastebin] downloads an executable from:
dd.ub.ac.id/9uhg5vd3
There are usually different download locations, but so far I have only seen the one. This has a detection rate of 5/56. The Hybrid Analysis of the dropped binary shows network traffic to:
193.90.12.221 (MultiNet AS, Norway)
200.159.128.144 (Novanet da Barra Ass e Inf LTDA, Brazil)
The payload is not clear, but is probably the Dridex banking trojan.
Recommeded blocklist:
193.90.12.221
200.159.128.144
No comments:
Post a Comment