From: Alicia RamirezThere are a large number of these, with a ZIP file attached containing a malicious scripts with a typical detection rate of 3/56. In this sample Malwr analysis, it downloads a file from:
Date: 25 May 2016 at 14:22
Subject: Weekly report
Hi [redacted],
Please find attached the Weekly report.
King regards,
Alicia Ramirez
Castle (A.M.) & Co.
test.glafuri.net/yxk6s
There will certainly be a LOT of other download locations. The dropped file GSKQtcnNu8MS.exe has a detection rate of 4/55 and that same VirusTotal report indicates C2 traffic to:
138.201.93.46 (Hetzner, Germany)
91.200.14.139 (PP SKS-LUGAN, Ukraine)
104.131.182.103 (Digital Ocean, US)
164.132.40.47 (OVH, France)
Even though other automated analysis failed [1] [2] this time we have previously identified two of those IPs as being Locky ransomware, so there is little doubt that this will be more of the same.
Recommended blocklist:
138.201.93.46
91.200.14.139
104.131.182.103
164.132.40.47
No comments:
Post a Comment