From: Marian Mcgowan
Date: 3 August 2016 at 11:15
Subject: Fw: New invoices
As you directed, I send the attachment containing the data about the new invoices
Attached is a randomly-named ZIP file which contains a highly obfuscated .js script which according to this Malwr analysis downloads a binary from..
blog-aida.cba.pl/2zensi7t
..when decrypted it creates a binary with a detection rate of 4/54. That same Malwr analysis shows it phoning home to:
93.170.104.20/php/upload.php (Breezle LLC, Netherlands) [hostname: pundik.rus.1vm.in]
This IP was seen last night and it seems that there is a concurrent Locky spam run phoning home to:
185.129.148.19/php/upload.php (MWTV, Latvia)
89.108.127.160/php/upload.php (Agava, Russia) [hostname: srv1129.commingserv.com]
Both those IPs are in known bad blocks.
Recommended blocklist:
93.170.104.20
185.129.148.0/24
89.108.127.0/24
No comments:
Post a Comment