Subject: images
From: "Sophia Passmore" [Sophia5555@victimdomain.tld]
Date: Fri, May 12, 2017 7:18 pm
--
*Sophia Passmore*
Subject: please print
From: "Roberta Pethick" [Roberta5555@victimdomain.tld]
Date: Fri, May 12, 2017 7:18 pm
--
*Roberta Pethick*
In these two samples there is an attached .7z archive (MD5 31c144629bfdc6c8011c492e06fe914d) with a VirusTotal detection rate of 18/58. Both samples contained a malicious Javascript named 20170821_08914700.js that looks like this [pastebin].
Automated analysis [1] [2] shows a download from the following locations:
gel-batterien-agm-batterien.de/65JKjbh??TqCRhOAQ=TqCRhOAQ [46.4.91.144 - Hetzner, Germany]
droohsdronfhystgfh.info/af/65JKjbh?TqCRhOAQ=TqCRhOAQ [119.28.100.249 - Tencent, China]
The Hybrid Analysis report shows an executable being dropped which is Ceber Ransomware (MD5 c7d79f5d830b1b67c5eb11de40a721b4), with a VT detection of 22/64.
Recommended blocklist:
46.4.91.144
119.28.100.249
No comments:
Post a Comment