From: Theodora HamerThis analysis is based on a trusted source (thank you!). Attached is a ZIP file containing a malicious script, downloading from:
Date: 25 May 2016 at 12:17
Subject: Operational Expense
Operational Expense of 7,350,80 USD has been credited from your account. For more details please refer to the report that can be found down below
alborzcrane.com/g1slEn.exe
alborzcrane.com/Z94n5r.exe
alintagranito.com/fOA8Bl.exe
alintagranito.com/xB7nku.exe
amazoo.com.br/R0koId.exe
avayeparseh.com/s0faxS.exe
buzzimports.com.au/cRQVC4.exe
buzzimports.com.au/ECScwi.exe
galabel.com/lRkuJX.exe
galabel.com/oQz26K.exe
jett.com/6APaSk.exe
kitchen38.com/HYPETS.exe
kitchen38.com/V1ygc2.exe
onestopcableshop.com/J7t6au.exe
osdc.eu/gct5TH.exe
osdc.eu/n2UuEj.exe
purfectcar.com/9OaoqM.exe
purfectcar.com/sHXqZT.exe
wisebuy.com/WiOqzB.exe
yearnjewelry.com/OnvBrc.exe
yearnjewelry.com/t8HnK3.exe
zhaoyk.com/Dmv3As.exe
zhaoyk.com/JbO9uX.exe
This drops what is apparently Locky ransomware, with a detection rate of 3/56. This phones home to:
164.132.40.47 (OVH, France)
104.131.182.103 (Digital Ocean, US)
This Hybrid Analysis shows the Locky ransomware in action.
Recommended blocklist:
164.132.40.47
104.131.182.103
No comments:
Post a Comment