From: Andrew Boyd [BoydAndrew46@infraredequipamentos.com.br]
Date: 27 April 2016 at 12:23
Subject: Price list
Thank you. Our latest price list is attached. For additional information, please contact your local ITT office.
The sender's name varies, the subject and body text appear to be the same. Attached is a RAR archive that combines some elements of the recipient's email address in it, e.g. CAA30_info_D241AE.rar.
Thanks to analysis from a trusted source (thank you!) it appears that there are several scripts, downloading a binary from one of the following locations:
This downloads Locky ransomware. The executable then phones home to the following servers:
220.127.116.11 (FOP Sedinkin Olexandr Valeriyovuch / thehost.ua, Ukraine)
18.104.22.168 (Digital Ocean, Singapore)
22.214.171.124 (Digital Ocean, US)
126.96.36.199 (Digital Ocean, Netherlands)